This really isn’t a security vulnerability, but it is a bit strange. As I leave Terminal running, with one tab in a screen session on a remote host, and other tabs coming and going, weird things happen with my ability to right-click on URLs. Occasionally it will only let me right-click on things that aren’t urls, but most of the time it simply displays an arbitrary, but increasing over time, number of “Open URL” options. Mine goes to 11 :

Open URL X 11

Trying it right now, I get 10. The number fluctuates, but increases over time. Restarting Terminal resets it back to only having one.

This is a little off-topic for this blog, but I couldn’t find anyone else on Google that has the same problem, so I figured I’d throw this post up so that when someone else with the same problem searches for it they’ll find this. Then they’ll email me or comment and we’ll be best trivial-bug-friends. Maybe we’ll start a support group or something.

 

I’ve posted about this before, regarding Twitter’s signup process, although Facebook’s signup process is probably the most well-known example. Now, I see it on Slideshare. For future reference, when you see this:

 

SlideShare Fail

Please do this:

SlideShare 2

I’m sure most of my readers can imagine what a bad idea it is to hand their email password over to a third party. What’s more dangerous is that this functionality might become more common. If every social-networking-site-of-the-week integrates something similar into their signup process (and it is attractive for them), then it will become more natural for users to expect it, making them less likely to question it. Overall, it makes phishing a lot easier, as now you have a wider choice of sites you can mimic, or you can just make up something completely new.

Also, at least in this specific case, the credentials you’re handing over are not going over SSL. Who knows what precautions are being taken on the other side of this web application, where it’s actually signing into your email and harvesting out the information. You might be carefully using GMail only over SSL for your sessions with it, but there’s no guarantee that SlideShare/Twitter/Facebook will be doing the same. There’s also no real assurance that your credentials haven’t been cached or stored in some way.

You may make yourself out to be a bad Internet citizen if you utilize these features, as well. I know of at least one case where a user signed up, the site automatically picked up all of his contacts, and immediately spammed out a referral email to every one of them, including mailing lists. Your friends and other contacts might not like this very much.

I think it’s a bad idea, and I hope that it doesn’t become more widespread trend than it already is.

 

In the interests of full disclosure, I will admit right here that this post is mostly an excuse for me to play with the new 2.5 version of WordPress, and slidehare.net. I’m writing this with the Visual editor, which I’m giving a second chance after I turned it off long ago. So far, I’m pretty happy with the new WordPress dashboard interface, and Slideshare is pretty cool too.

To keep this from being purely experimental, and to give my readers the content they so feverishly desire, I decided to upload a guest lecture I gave earlier this semester to the CSE 6243 Information and Computing Security class. It was early in the semester, so I wanted it to be light and informal, so I just covered a summary of ten security tools (and then some) that someone going into this field might want to familiarize themselves with. Enjoy!

 

   

 

I really enjoy watching and listening to hacking/security conference presentations that have been posted to the web. I’ve posted links to audio and video of a few conferences before, along with a huge archive of the biggest conferences. Recently I mentioned that Blackhat DC 2008 and Shmoocon videos were coming soon, but these have not been posted or uploaded to any video sites that I am aware of.

On the bright side, videos are being posted of the recent SOURCE Boston 2008 conference:

The only one I’ve watched so far is the l0pht Panel, which is a reunion of many of the l0pht’s old members. I really enjoyed this, as I always have had a lot of admiration and respect for the things they’ve done. Also, I was always jealous of their “hacker space” which is, to this day, the example that comes to my mind when people use that term.

I was previously unaware of the DeepSec conference, but I ran into one video from the 2007 conference when I was searching for other conference videos on Google Video. Sarching for “DeepSec” on Google Video turns up a lot of videos from this conference, and it looks very interesting. It seems to be a very technical conference with interesting presentations by some very smart people (Aitel, Halvar, Litchfield, and many more). I haven’t watched any yet, but I’m looking forward to it.

Also, the Internet Storm Center has started a biweekly podcast, talking about current threats and news. The first episode has been posted, and it’s definitely something that I’ll add to the other shows I listen to regularly.

Have a good weekend!

 

I’ve just been informed over Twitter that I was mentioned by Intelguardians at CanSecWest in Vancouver today, presumably at their Cold Memory Forensics Workshop. Assuming that this isn’t some cruel prank, and you’re dropping by here because of the presentation, I hope you manage to find what you’re looking for! Here’s a list of relevant posts and pages here:

I’m happy to hear that folks are getting some use out of it. I might hack around with it a little more this weekend, since people seem to like it.

If anyone has any notes or more information on what exactly went on at CanSecWest during this workshop, I’d appreciate it if you would either leave a comment or send me an email.

 

Update: In the interest of fairness, I have decided to approve pretty much any comment that Yousif wants to post to this blog entry, and I’ll even quote them up top here. He can use the opportunity to express regret, remorse, state that he wants to change his ways, or he can just call me a redneck fruit. Here’s what he has to say currently:

This is total bullshit and has been modified for the intent of a joke, all of this data is falsified.

I’ll add to this, if he comes up with anything else.


It always amazes me how often and blatantly people will incriminate themselves. Even today, when most (or at least most dangerous) attackers are motivated by profit, there are still “script kiddies” that simply do it to make themselves seem cool among their peers. To meet this end, they have to brag, show off, and command respect in a way that runs completely counter to the usual desire to not get caught or exposed. Sooner or later, they show off to the wrong person.

This is the case with Yousif Yalda, a 17 year-old from Skokie, who has been in contact with me over the past several months. If the subset of security professionals on my Twitter feed are any indication, I’m one of many people in this field that he has been in touch with recently. Throughout this time period he has tried hire me for his web security and penetration testing business, VAPT Security and discussed, at length, his desire to make it big in the security industry. He also has quite a temper, which would flare up when I dismissed requests to work for him, refused to post comments to his blog, and criticized some of his work. This is when he would make allusions to his “black hat” past, terrorizing AOL with Visual Basic programs written by his friends (no, I’m not kidding).

I’m all for someone throwing their hat in the ring, and I also think it’s fine for someone to put their “black hat” past behind them, perhaps even using those experiences for the forces of good. I do, however, expect people like Yousif to conduct themselves professionally and not damage the image of penetration testers as a whole. Running assessments and attacks on sites without their permission, showing off confidential documents stolen from organizations, and attempting to infect others’ PCs with trojans are not ethical activities for penetration testers to run outside of an agreed-to test.

Going back to how people incriminate themselves, I wouldn’t have found out the extent of Yousif’s activities if he hadn’t invited me to along to see, and if he didn’t have such a desire to brag and demonstrate his (mostly imagined) skills. Previously, he had mentioned running scripts and tools against other sites, and admitted that he had not asked permission beforehand, but I had never seen any of it first-hand. Then one day I saw his away message set to this:

I just figured he had gotten owned. Copying and pasting the link showed it going to his IP address on 5800, which is typically a web interface to a VNC server. I didn’t get a response on the AOL name when I asked if he was having problems, but then he showed up on gtalk:

It was an invitation, not only to the people on his “buddy list”, but also to anyone who could check his away message (basically anyone on AIM). I clicked, and was dropped into a VNC session (without mouse or keyboard control) watching Yousif Yalda “drive”. Over the next few hours that night, Yousif was in a veritable script-kiddie zone. In an effort to impress another friend on his AIM buddy list, he went through several “hacks”, past and present, of varying success. All this with the knowledge that who-knows-who-else was watching.

I took screenshots, and I’ve sat on them for a week or so now. I’ve decided that, since he doesn’t show any remorse or regret for the things he’s done, that at the very least his “targets” have a right to know who’s been pointing crappy scripts and tools against them. Potential clients should know how little he respects ethical procedures and confidentiality. Others involved in security that he’s been talking to (a seemingly large number) need to know who they’re dealing with. At the very least, know when you’re talking to him that there’s likely to be someone else watching on a VNC session.

On to the fun part: a look into the mind and actions of a script kiddie. We’ll start with an attempt to infect a friend with a trojan. Here he is making a copy of the server executable:

…and uploading it to the same hosting that he uses for his business:

I’ll spare you the logs of Yousif trying to convince his friend to download and run the trojan, which he disguised as the setup file for a Steam account. He managed to convince the victim after some time, and even got him to disable AV and firewalls, although unfortunately for Yousif, it appears that his victim was probably NAT’d behind a home router:

Despite its lack of success, it impressed Yousif’s friend he was showing off to enough to ask about the “CIA” name. A habitual liar, Yousif claimed he made it “2-4 years ago”. I have since found out that many things he will claim about his associations with others and things he has done have been greatly exaggerated (including claims that a well-known web security professional hacked sites alongside him).

Next Yousif showed his friend, and anyone else watching, a directory in which he keeps documents that he has apparently stolen from a real estate/mortgage company. There are many letters from banks about the status and balance of people’s accounts, taxes, and other personal information. I can’t even really show screenshots here, even of the directory listing here, as I would have to censor them so heavily it wouldn’t be worth looking at.

Here’s a couple of emails he sent to himself from hacked accounts as trophies:

Those are pretty old, but then he decides to show off some of his scripts and tools on one of the old victims (the latter of the two victims above).

He really likes a perl script that he has for doing RFI scanning, and Acunetix, which you might remember from my last post as the tool he pointed at this website. Thankfully, in this case, he doesn’t find much. Notice in the screenshot of Acunetix above that he accidentally pastes the URL to the current site he’s scanning right after the URL of the last site he scanned with the tool, revealing yet another target besides myself and the sites he scanned during his open VNC session.

For the last example of Yousif Yalda’s activities, we have him taking aim at a real estate investment firm that he has apparently been playing with for some time, judging from the dozens of entries in his browser history. As you can see, he doesn’t quite understand what he needed to substitute into the script before running it:

The funny part of this is that when he does go to try the RFI out, he realizes that he needs to remote-include a php shell, so he goes and does a web search for r57. Instead of finding the source code hosted on another site, or setting one up himself, he manages to find another site that is already running r57 as a result of RFI or similar, and tries (without realizing what he’s looking at) to include the rendered page from there instead of the php source. It’s a wonder that this guy has anything to show off to his friends at all, and one would hope he wouldn’t stumble around so much on a real penetration test.

So what do we take away from this? Despite claims that attackers now are motivated by profit, we still see script kiddies (mostly in their teens) that are launching attacks in order to gain the admiration and respect of their peers. To this very moment it blows my mind that he invited me and others to watch this, and at first I wanted to ask, “If this is what Yousif does when he has invited people to watch him, who knows what he gets up to when he’s on his own”, but then I realized that he thrives on the attention and admiration. Although it’s not the kind of attention that he wants, I hope that others in the security community (or even potential clients) that have been or will be in contact with him see this and realize who they are dealing with. His targets are also being notified so they can review their logs. While I thought about that for a while, I came to the conclusion that I normally notify other potential victims that I become aware of in any other kind of incident investigation, and these deserve no worse.

I have enough material on this to cover another dozen blog posts, and I might post a more lighthearted “deleted scenes” later on. If you have any interesting Yousif Yalda stories (which, if he’s tracked you down to talk to you, you do), feel free to post them as comments or email them in.

I’ll be back on a regular posting schedule with some book reviews, news commentary, and technical posts soon!

 

When we describe the process an attacker goes through to compromise their target, we usually try to break it up into different phases with terms like reconnaissance, enumeration, probing, and exploitation. This varies when we talk about different kinds of attackers. Some, with no specific target in mind, will skip “casing the joint”, and just scan massive numbers of sites for specific vulnerabilities.

The real bottom-of-the-barrel here is the attacker that tries to compromise a site with a tool meant for vulnerability assessments. These are tools that are not built for any sort of stealth or finesse, because they are meant to be run in the course of a vulnerability assessment by a pentester (using the term loosely here) or systems administrators that want the scan over with quickly. In this case, it doesn’t matter if it leaves a huge signature in the logs or if the IDS screams bloody murder, because the person responsible for tending to those alerts is the person who ran the tool, or is at least aware of the test. This is not as desirable for an attacker who is trying to avoid getting caught or alerting admin/security staff of a breach.

In this specific example, we’ll take a look at some logs generated by an attack launched against this website. The attacker, in this case, is using the Acunetix Web Vulnerability Scanner (likely a pirated copy), and obviously hasn’t thought about what kind of signature it leaves in log files. Those who follow me on twitter and other resourceful readers either already know who this is, or could find out with a little sleuthing and deduction. I haven’t bothered to sanitize the IP address, so you can look through your own logs for traffic like this coming from this guy’s usual range of IP addresses.

Here, I’m going to step through the highlights of the entries that this script kiddie left in my Apache logs. Notice the first two hits from this tool:


20080305.log:75.3.18.189 - - [05/Mar/2008:02:10:49 -0500]
"GET /acunetix-wvs-test-for-some-inexistent-file HTTP/1.0" 404 240 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"

20080305.log:75.3.18.189 - - [05/Mar/2008:02:10:49 -0500]
"GET /acunetix-wvs-test-for-some-inexistent-file-second-try HTTP/1.0" 404 251 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"

So much for coming in undetected.

This serves a couple of purposes. If you were running this as part of a legitimate assessment, it lets you easily find the place in your logs where your vulnerability assessment started, as well as identify the tool used. I believe that this scanner will also use the response in comparison with other responses later, to determine when files aren’t found, although I haven’t personally used or tested Acunetix.

The tool then indexes the entire target website, apparently not throttling itself at all or making any attempt to disguise itself as normal traffic. I’ll spare you from having to look through the complete logs of it spidering my website, but I will bring your attention to a couple of entries, to show you something interesting:


20080305.log:75.3.18.189 - - [05/Mar/2008:02:10:57 -0500]
"GET /training/ HTTP/1.0" 200 5176 "http://www.mcgrewsecurity.com:80/"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"

20080305.log:75.3.18.189 - - [05/Mar/2008:02:10:57 -0500]
"GET /services/ HTTP/1.0" 200 6405 "http://www.mcgrewsecurity.com:80/"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"

Notice the referral URL? It is explicitly specifying port 80, which would not be necessary or normal for a typical web browser. Throughout the logs Acunetix generated, the referral URL consistently had the “:80″. Once it finished indexing, it tried a few (surprisingly few) simple exploits that didn’t work, and then it was over:


20080305.log:75.3.18.189 - - [05/Mar/2008:02:11:40 -0500]
"GET /cgi-bin/test-cgi.bat?|dir HTTP/1.0" 404 218 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"

20080305.log:75.3.18.189 - - [05/Mar/2008:02:11:40 -0500]
"GET /server-info HTTP/1.0" 404 209 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"

20080305.log:75.3.18.189 - - [05/Mar/2008:02:11:40 -0500]
"GET /server-status HTTP/1.0" 404 211 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"

20080305.log:75.3.18.189 - - [05/Mar/2008:02:11:40 -0500]
"GET /<<<<<<<<<<<< HTTP/1.0" 404 246 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"

20080305.log:75.3.18.189 - - [05/Mar/2008:02:11:40 -0500]
"GET /error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cboot.ini HTTP/1.0" 404 225 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"

20080305.log:75.3.18.189 - - [05/Mar/2008:02:11:40 -0500]
"GET /php/php.exe?c:\\boot.ini HTTP/1.0" 404 209 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"

20080305.log:75.3.18.189 - - [05/Mar/2008:02:11:40 -0500]
"TRACE /TRACE_test HTTP/1.0" 200 398 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"

20080305.log:75.3.18.189 - - [05/Mar/2008:02:11:40 -0500]
"DELETE /wvs_test_for_inexistent_file.txt HTTP/1.0" 405 256 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"

20080305.log:75.3.18.189 - - [05/Mar/2008:02:11:40 -0500]
"TRACK /TRACK_test HTTP/1.0" 501 217 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"

20080305.log:75.3.18.189 - - [05/Mar/2008:02:11:40 -0500]
"PUT /web_scanner_test_file.txt HTTP/1.0" 405 246 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"

20080305.log:75.3.18.189 - - [05/Mar/2008:02:11:40 -0500]
"GET / HTTP/1.0" 200 33894 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"

20080305.log:75.3.18.189 - - [05/Mar/2008:02:11:40 -0500]
"GET / HTTP/1.0" 417 397 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"

The moral of this story is to realize that, even when it's not in their best interests, lesser-skilled attackers will use tools that are meant for vulnerability assessments in attacks on systems. These tools are usually a poor choice for an actual attack. Acunetix is one example. Even more often you'll see attackers using Nessus to test for every single vulnerability they can. These are tools that are trivial to detect and should be very obvious to an alert administrator. If you use these tools in regular assessments of your own organization, be sure that you're able to determine easily which scans are executed by your staff and which are launched against you by inept attackers.

The attackers that choose these tools typically do so thanks to inexperience. They may feel that if it's used by "professionals", then it must also be good for their purposes. They may not understand the attacks or the process of finding vulnerable services, and therefore rely on a tool that seems like it will do all of the work for them. Pirated commercial tools are often desirable, as the inexperienced attacker might place more value on something that's harder to get, over freeware tools that anyone can download.

I will probably have some more stories about this particular script kiddie coming soon. There's certainly no shortage of material. The absolute master of script kiddie takedowns has a blog at VitalSecurity and is a must-read. I only hope I can be as entertaining with this as he is.

In the meantime between this post and the next, if you think you know who I'm talking about and have had interactions with him in the past, or you're just curious, grep through your access logs for "acunetix" and see if something in the 75.3.*.* (75.3.16.0 - 75.3.31.255 to be a little more precise) shows up. If that pops up something, or you see some other unusual activity from that range (admittedly large) send me an email and I might be able to corroborate things from my logs and yours to tie things together. I know for a fact that I'm not the only site he's been playing with ;) .

 

So it turns out that the admin of the rootshell-team.com forums has been copying and pasting content from this site into the “Tutorials” section of his forums without asking permission, or even giving any credit. I haven’t looked closer, but I imagine that the rest of the content on the site is ripped from other sources as well. Here’s an example:

Looks familiar!

With a little .htaccess magic:


RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http://(www\.)?rootshell-team\.com [NC]
RewriteRule \.(gif|jpg|png)$ http://mcgrewsecurity.com/img/lolrootshellteam.jpg [R,L]

…it turns into this:

Until it gets taken down, you can see for yourself at these two links:

That was fun.

 

Yesterday I did an email interview with SCMagazineUS.com reporter Sue Marquette Poremba, and the article was published later in the day here:

It’s not a bad article by any stretch of my imagination, but there were some points that I felt were important, and brought up in the interview, that didn’t make it through the writing and editing process. I can definitely understand this, as SC Magazine isn’t my soapbox to stand on (that’s what this site is for). I posted these points as a comment to the article, but they appear to have been deleted or “lost”. While I think that’s strange, I’ll let it be, and just post my points here (these might make more sense if you’ve read the article):

  • What I have written is not an “encryption scanner”. It simply dumps the contents of memory, in order to allow someone to data carve it for whatever they’re looking for, which could include images, passwords, text, or even encryption keys. My tool doesn’t “scan” for anything. It’s also kind of strange to call it “home-grown” in the title, and then refer to McGrew Security as a “research firm”. I suppose you could argue that both are true, though :)
  • The problem that I mentioned that the Princeton researchers “got around” was the large footprint in memory of other techniques of imaging RAM, such as using Linux Live CDs, not whatever the article is implying was the problem (recovering data from RAM, I think?)
  • One reason I wrote the tool was simply because the Princeton tool has not, as of right now, been released. I felt like it was important for security and forensic researchers and practitioners to be able to experiment and base further research off of a tool like this.
  • I should have placed more emphasis on this in my response, but I think one of the most positive uses for this could be for forensic examiners/investigators. The ability to capture the contents of RAM with a minimal impact, when seizing evidence, can be very helpful.
  • I have a lot of respect for the work that the Princeton researchers have done, and I think they have done an amazing job of raising awareness of an issue that’s been around for a long time.

These are things from the interview that didn’t make the cut, but I felt that people should know. It would have been nice if they would have kept my comment underneath the story, but this’ll just have to do. Everyone that I care about reads this blog anyways, don’t they ;) !

 

Matthew Geiger was kind enough to point out to me a very silly typo I had made when writing msramdmp. Rather than grabbing 8192 bytes every time I went through the loop in the first section of memory it dumps, it was only going through 8182. Ugh. This means that it was writing 0×00′s for the last 10 bytes of every 8k (but thankfully, only for the smaller first section).

It’s fixed now, so if you downloaded it before, you should go and download it again. Sorry about that :) .

© 2012 McGrew Security Suffusion theme by Sayontan Sinha