Monday, 4 August 2014

Paypal Complete 2-Factor Authentication(2FA) Bypass Exploit.

Update: It has been patched on the 12th of August. "Surprise?"

[Revision; 6th of August, 2014]
To make it clear: The Paypal account you were 'hacking' did NOT have to be affiliated with the eBay account you were using. In my original tests, I had made a new eBay account using a temporary email, and had gotten into my Paypal through the same method.

It works even without an eBay account, actually.


This blog is an excerpt from my blog entry, "Paypal's 2-FActor Authentication(2FA): The Good, The Bad, And The Ugly", in which I detail the use[fulness] of Paypal's 2Factor system.

On the 5th of June, 2014, I found a complete bypass for Paypal's 2FA service, in which anybody would be able to access a Paypal account that has 2FA setup, by only logging in through a "special" Paypal page.

eBay, in conjunction with Paypal, provide a service as to where you can link your eBay account to your Paypal account, and when you sell something on eBay, the fees automatically come out of your Paypal account.

When setting this up, you're (obviously) asked for your Paypal login.

Linking the two accounts

Login Page

When you are redirected to the login page(above), the URL contains "=_integrated-registration". Doing a quick Google search for this shows that it isn't used for anything other than eBay; thus it is setup purely for Paypal&eBay.

Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load , and you are logged in, and don't need to re-enter your login.

So, the actual bug itself is that the "=_integrated-registration" function does not check for a 2FA code, despite logging you into Paypal.

You could repeat the process using the same "=_integrated-registration" page unlimited times.

I originally found this on the 5th of June, 2014, and reported it to Paypal the same day.

I have also uploaded a demonstration of it on YouTube.

==Found: 5th June 2014==
==Reported: 5th June 2014==
==Response: 27th June 2014==
==2nd Response: 27th June 2014==
==3rd Response: 4th July 2014==

On the 5th of August, I have decided to release this publicly, because despite two months given, it still hasn't been fixed.

You can try it out, by logging into Paypal here:

(For the love of security, please make sure the page you go to is
Once you login(don't press return to eBay), go to


Found by Joshua Rogers(@MegaManSec)

Friday, 4 July 2014

PTV; The police, and the aftermath.

For backstory regarding the PTV story, the following articles should be read:

(Sydney Morning Herald) Schoolboy hacks Public Transport Victoria website - PTV #1
(Wired) Teen Reported to Police After Finding Security Hole in Website - PTV #2
(ABC) Melbourne schoolboy exposes security flaw in Public Transport Victoria's website - PTV #3

This blog entry is more a "diary" of what happened after the story broke.

Originally, I found the bug on the 26th of December, 2013, and around 2AM.
I reported the bug at around 3AM to around 30 company emails.

On the 6th of January, 2014, the original reporter(Adam Carey) was contacted by PTV, and was told that PTV had contacted the police(this was assumed that, if he didn't publish the story, they wouldn't contact the police; but this is unknown)

On the 7th of January, 2014, the story was run in The Age(Fairfax) newspaper.

On Thursday, the 8th of May, 2014, at 8:15AM, 6-8 fully armed police officers showed up at my place of residence(my house). Three of them were e-crime. 

A warrant was served to me, and two e-crime officers went into my room and started to catalogue my electronic belongings, and then seal them for evidence.

Two of the other(non e-crime) officers sat me down, and started asking me general questions, such as how I was, etc. I commented to them how I had been warned around a week earlier that a search warrant may have been approved by the court, and would subsequently executed(I have a contact). They were definitely stunned, but we didn't speak of it other than that.

Interestingly, the day before, I was given information by somebody else in regard to somebody that was going to team-kill me at the end of a game. i.e; contacts are good.

Whilst talking about general stuff(and filling out forms w/ information like my age, my name, etc.), the third e-crime officer was asking me questions regarding security, such as "How many websites do you think are susceptible to SQL Injection?", and "What sort of encryption do you use?".

I suspect the reason for 3-4 armed police officers being there, was incase there were any "incidents", such as either 1. destroying of property(my harddrive), or 2. if I were to try to run away(lolwut); nothing happened, though.

Halfway through this, I decided the best thing I could do was 'give up' my encryption keys. I let the third e-crime officer (/that was talking to me) know that he could just ask for the encryption code, because he could have it. 

If I had "anything to hide(it hurts me to type this), I would have securely deleted it after I had the heads-up, no? That being said, I didn't.

They could have just gotten a court order for it, anyway.

(Also, my laptop, which uses DDR2 ram, was on at the time, so they could have used a Cold Boot Attack, or some other side-channel attack.)

After they had finished taking my stuff, a total of 10 items were taken.

1. My Laptop
2. My Home-Server
3. 1 USB Stick
4. 1 USB Stick

5. 1 USB Stick

6. An SD-Card
7. My Samsung Phone
8. A "Phablet"(which had only been used once.)
9. An Old Laptop(that didn't have a harddrive in it)
10. A Harddrive(From that old laptop)

Interestingly, they missed a few things. I later found another SD card, another USB, and an old-old-old phone(from 2006), all on my desk. Luckily I found that USB, because it meant that I could continue to watch movies on my television.

The thing I'm most 'annoyed' at, is the fact they took my phone. How else am I going to talk to hot girls(such as Lara(non-aus body #1) & Danae)?

After the search warrant was conducted, I was "officially" arrested. I wasn't charged with anything, though.

Due to the circumstances, I wasn't taken in the back of a police car. I was told just to make my own way to the police station within the next 15 minutes through my own means(driving).

When I made it to the police station, I was put in an interview room, and was read the charge that they suspected I had broken.

The charge was "Unauthorised Access, Modification, or Impairment with Intent to Commit a Serious Offence", which apparently features a minimum of 5 years imprisonment? (What?)

They ran through the normal questions as to what happened, my side of the story etc., in a recorded interview, with 2 police officers. Interestingly(and unsurprisingly, I guess), they did the good-cop bad-cop routine.

The interview took around 2 hours in total, and after it was done, I was free to go.

On the 2nd of July an "offer" was made, where I could sign a document that I acknowledged that I had broken the law, and get an official police caution.
I ended up taking it.

It doesn't get added to my record, but if I break the law in the same way, in the future, it will be re-added on(For 5 years, then it's completely deleted).

So, I guess the moral of the story is: Don't exploit any vulnerabilities you find without permission; whether you're doing the "right thing" or not?

Thursday, 26 June 2014

Paypal's 2-Factor-Authentication(2FA): The Good, The Bad, And The Ugly. (Incl. full 2FA bypass without security questions)


Paypal, like many other services, offer 2-Factor-Authentication in an attempt to strengthen the security of users' accounts. As noted on Paypal's website, "The security key gives you an extra layer of security when you log in to your PayPal account. It creates random security codes to use along with your regular username and password."

Paypal provides two ways of using this service; through a one-time code sent as an SMS to your mobile phone, or through a physical, creditcard sized code generator.(Or optionally, a VeriSign ID Protection key, which you can set-up on your phone for free here.)

An example of Paypal's security-card

Paypal's implementation of 2FA has been heavily scrutinized[1] again[2] and again[3] due to the lack of apparent security surrounding it. They allow security questions to be used to bypass the blockade of not having access to your 2FA device, and sometimes even when you do have access to your device, the code just doesn't work.

In this article, I'll be detailing "The good, the bad, and the ugly" of Paypal's 2FA programme. This includes what works, how it works, how it doesn't work, and security implications(full disclosure: there is/was a complete bypass for the 2FA without security questions.)

Personally, I use the SMS version of Paypal's 2FA, thus I can only directly comment on that. Nonetheless, I'll reference a few articles in regard to their creditcard sized number generator, and the VeriSign key generator.

The Good

Despite the bad publicity and the bad advertisement(not many people know Paypal supports 2FA), Paypal's implementation of 2FA is pretty good.

When you login to the website, it forwards you to a page that asks you for your security token. Multiple phone numbers can be used for the SMS service.

Logging in as per usual
2FA Page

You can choose which phone number Paypal will SMS, and it will send you an SMS to the respective number.

The actual implementation of this process is that when you initially login, you're not actually logged in; you're simply given a 'context' cookie set, which later is used to initiate the real login phase.

Paypal blocks brute-force attacks of the 6-digit code by locking you out after 5 attempts, requiring you to enter personal information to unlock it.

A common security over-sight when it comes to 2FA is that it is bypass-able by using the application's mobile App. Paypal doesn't suffer from this, thus is secure in that sense. ---- Apparently that wasn't 100% true.

SMS 2FA codes also expire after 5-minutes, thus cannot be re-used.

The Bad

Although there aren't too many problems with Paypal's 2FA programme, they still do exist.

Personally, using the SMS service, the only problem I have had is the fact that sometimes the SMS is delayed, and doesn't arrive within the 5-alloted-minutes that you are given to enter it. Re-sending it usually doesn't fix this either, and they all just send at the same time(thus spamming your phone).

Noted by many, Paypal offers an option to bypass the 2FA procedure by entering in security questions, or your credit-card information. This is a huge no-no when it comes to 2FA. If your computer gets a virus, then the perpetrator is inevitability going to be able to get your credit-card information. And some security questions are guessable(e.g: Favourite Food?, First Teacher?, etc.).

The Ugly

And boy, is what I found ugly.

Nothing other than what I found constitutes as ugly for Paypal's 2FA programme -- Good Job Paypal!

A complete 2FA bypass is what I found. Yes, really. You completely bypass the page, and can send money, view/edit personal information, etc. All you need is an email and a password.

eBay, in conjunction with Paypal, provide a service as to where you can link your eBay account to your Paypal account, and when you sell something on eBay, the fees automatically come out of your Paypal account.

When setting this up, you're (obviously) asked for your Paypal login.

Linking the two accounts

Login Page

When you are redirected to the login page(above), the URL contains "=_integrated-registration". Doing a quick Google search for this shows that it isn't used for anything other than eBay; thus it is setup purely for Paypal&eBay.

Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process. And this is where the exploit lies. Now just load , and you are logged in, and don't need to re-enter your login.

So, the actual bug itself is that the "=_integrated-registration" function does not check for a 2FA code, despite logging you into Paypal.

You could repeat the process using the same "=_integrated-registration" page unlimited times.

I originally found this on the 5th of June, 2014, and reported it to Paypal the same day.

I have also uploaded a demonstration of it on YouTube.

==Found: 5th June 2014==
==Reported: 5th June 2014==
==Response: 27th June 2014==
==2nd Response: 27th June 2014==
==3rd Response: 4th July 2014==

Since there has been no fix yet(August 5th), I've decided to release this.

You can try it out, by logging into Paypal here:

(For the love of security, please make sure the page you go to is
Once you login(don't press return to eBay), go to

Update: It has been patched on the 12th of August. "Surprise?"



Overall, Paypal's 2FA programme is pretty good. Compared to others, it is fairly secure and worth using. Despite the occasional outages in the SMS service, it  doesn't stop usability of the Paypal service.

I rate it a 6/10.(The bypass I found would make it a 0/10, but hopefully they fix that soon.)
-3 for the full bypass, and -1 for the security questions problem.

Despite being a 6/10, I still recommend everybody uses it. It can be enabled here:

Tuesday, 10 June 2014

Securing Ubuntu-Desktop From the Bad-Guys, and the Good-Guys.

Securing your Ubuntu Desktop OS from intruders

Recently I have become interested in securing my laptop from predators such as hackers, thieves, and law enforcement.
To do this, I've explored various programs to run; and how to run them, without interrupting usability by the average user.

In this blog we'll be running through vectors of attacks that one could use to gain access to your unencrypted data.

Before starting, the following must be known:

1. The author of this article is currently running Ubuntu 14.04 LTS(Trusty), and all commands and patches work on it for the author. The author accepts no liability when it comes to these commands/patches being run by other users; this is purely informational.
2. It is assumed Full-Disk-Encryption is being used.
3. It is assumed your $HOME directory is encrypted using ecryptfs, with filenames encrypted. This can be checked using the command `ecryptfs-verify -h -e'
4. It is assumed you do not have the evil program called Java, or any of its counterparts like IcedTea, etc. installed.

When you're told to run the program 'Nano', you can use vim,vi,emacs, etc. Nano is purely the text editor that I use. To exit out of Nano, you press control-x.

FireWire attacks

Firewire has for awhile been known to allow attackers to gain access to a computer's Physical memor[RAM], and enable the attacker to grab the encryption key used for devices that are mounted.
The most obvious method of defeating this attack is by not compiling the kernel with any firewire modules included, but for the sake of this article, I'll include methods of mitigation. After all, some Ubuntu users probably wouldn't be able to compile their own kernel every update.

To mitigate the risks with firewire, we will disable them in a blacklist file in modprobe.d.

1. Open up /etc/modprobe.d/blacklist-firewire.conf by running `sudo nano /etc/modprobe.d/blacklist-firewire.conf'
2. Remove the contents(or comment everything out) and replace it with the following:
# Prevent automatic loading of firewire module(s).

blacklist ohci1394
blacklist sbp2
blacklist dv1394
blacklist raw1394
blacklist video1394

blacklist firewire-ohci
blacklist firewire-sbp2
blacklist firewire-core
blacklist firewire-net
blacklist firewire-serial

# Prevent manual loading of firewire module(s).

install ohchi1394 false
install sbp2 false
install dv1394 false
install raw1394 false
install video1394 false

install firewire-ohci false
install firewire-sbp2 false
install firewire-core false
install firewire-net false
install firewire-serial false

This will 1. blacklist all the firewire modules from starting at boot, and 2. prevent loading of firewire through forceful techniques.

After doing this, you must run `sudo update-initramfs -k all -u' for it to take effect on next boot.

Hardening Firefox


The abilities of web-browsers are not only astounding, but also extremely vulnerable. With 0-day exploits being found for nearly everything, the bad guys are always looking for ways to exploit your browser.
Methods used to exploit browsers are usually split up into two parts: exploiting the actual browser, and exploiting addon(such as Adblock and Acrobat Reader).

Using the method I describe should mitigate most, if not all techniques involved in the exploitation of Firefox, and addons used.

Most services when installed create a user for themselves, where they cannot escape from without some sort of local root kernel exploit. Unlike services, firefox is normally run at the same permissions as the user running it, which entails an attacker to be able to gain the same permissions of the user. With access, an attacker could record the keystrokes of the user, and wait until they run 'sudo' to gain root access(or, god forbid, somebody has nopasswd enabled on their account.)

By creating a user specifically for firefox, we lock it into its own folder where it [shouldn't be able to] escape.

First off, we want to create our new user called 'firefox'.

1. Run 'sudo adduser --system --quiet --shell /bin/false --group --disabled-password --disabled-login firefox' in the terminal.

The commandline(and all references to) 'firefox' is a link to /usr/bin/firefox, which is just a launcher script, so we can move that to something like 'firefox-start'.

2. Run `sudo mv /usr/bin/firefox /usr/bin/firefox-start' in the terminal.

Now we want to recreate the firefox file, and make it execute as our 'firefox' user, with all of the parameters that it normally would.
To do this, we must make a script to be run when using the command 'firefox'.

We have two options here. We either make a very simple script to run Firefox as the 'firefox' user, or we use some X11 trickery.

The problem with the first, is that an experienced hacker could control all X11 activity. Including logging keystrokes, injecting keystrokes, taking screenshots, etc.

The problem with the second, is that extensions such as XRANDR will not work. Another highly problematic downside is that you cannot copy-and-paste from your browser into another application. You can copy-and-paste from other applications into the browser, but not the other way around. This makes it incredibly difficult if you want to copy, for example, a quote from Wikipedia into an email.

Due to not having a solution to this, I've decided to show you how to do both.


Vulnerable Method

This method gives the reader a very easy way of doing things, and is probably OK for the average user.

Open up /usr/bin/firefox, which should now be an empty file, and place a script in it so it will run firefox was the user 'firefox'.
3[.1]. sudo nano /usr/bin/firefox
And enter the script:
sudo -H -u firefox "/usr/bin/firefox-start" "$@"

The -H flag is used to tell the system that we want to set our home directory to /home/firefox/. -u is used to tell the system that we want to run the program as the user 'firefox', and the last two flags tell the system to run /usr/bin/firefox-start(the REAL firefox script) with the flags $@, which means it will run with whatever /usr/bin/firefox was run with.

We need to allow the 'firefox' user to access X, so we go to "System -> Preferences -> Startup Applications" and add a new startup program.
The name and comment is irrelevant, but the command should be this:
xhost +SI:localuser:firefox


'Paranoid' Method

This method, as stated above, stops the user from copy-and-pasting from the browser into a different program. It is much more safe, and is considered secure.

3[.2]. Run `sudo nano /usr/bin/firefox', and put in..



exec newgrp firefox <<-EOF

 if [ -e "$xa" ]; then
  if [ ! -r "$xa" ]; then
   rm -f "$xa"
  elif [ ! -w "$xa" ]; then
   mv "$xa" "$xa.tmp" && cp "$xa.tmp" "$xa" && rm -f "$xa.tmp" && chmod 660 "$xa"
 fi &&
 xauth -q -i -f "$xa" generate "$DISPLAY" . "untrusted" && chmod g+rw "$xa" &&
 sudo -H -u firefox XAUTHORITY="$xa" "/usr/bin/firefox-start" "$@"


This script will run every time you open up firefox.

Now we need to make the file executable.

[4]. Run `sudo chmod +x /usr/bin/firefox'.

 As you can see in the script, it relies on the usage of the 'newgrp' program being able to access the 'firefox' group. To do this, you must add yourself into the 'firefox' group.

[5]. Run `sudo useradd -a -G firefox $USER'.
This will add you into the group of 'firefox'.
You will now need to reboot to make this come into effect.

To allow changes to be made by groups, you must run a chmod command on the user folder.
[6]. Run `chmod -R g+rwxs ~firefox'

This allows anybody in the 'firefox' group is make changes in the /home/firefox/ directory.


Now you can run 'firefox', and it'll run the browser as the user 'firefox', not as your user. Yay! We got most likely the hardest part finished.


I, like many of you probably do, like to play music in my browser. Whether it be through HTML5, or Flash. But since our new user 'firefox' isn't part of the 'audio' group, we must add ourselves to it.

[?]. Run `sudo usermod -a -G audio firefox'
Now with another reboot(or logout), audio should be able to be played.

Finally, due to multiple users using PULSE(your account, and then flash in the 'firefox' user), we have to set up 'firefox' to use a slave server, and your real user as the master.

First of all, we want to copy the default pulseaudio settings to your home directory.

[?]. Run `mkdir ~/.pulse/ ; cp /etc/pulse/ ~/.pulse/'

Now edit it.

[?]. Run `nano ~/.pulse/'
Add to the bottom of the file: "load-module module-native-protocol-tcp auth-ip-acl=" and save.

And that's it. Firefox will automatically use use that as a master server, thus becoming a slave.

There are probably security implications to do with this, but they would be minor.(At most, listening to microphone, which I doubt anyways)


 Although mostly un-important, it might interest some people to install some addons in Firefox to enhance your browsing privacy.

These include:

Adblock Edge - Basically AdBlock without the whitelisted ads. Removes ads & unwanted elements on webpages. Recommend using in conjunction too.
HTTPS-Everywhere - Trys to use HTTPS/SSL on webpages known to work with them.
BetterPrivacy - Handles long-term, non-HTTP cookies such as flash cookies.(In options, make sure 'Always ask' is unchecked.)
User Agent Switcher - Makes it possible for you to change your User-Agent to something else. Download and import it through the application in Firefox(Edit User-Agents).
Smart Referer - Only sets referrer if staying on the same page.

In the page "about:addons"(type it into your URL-bar), go to "Plugins", and make sure everything is set to "Ask to Activate".

In the page "about:config"(type it into your URL-bar), set geo.enabled to false(double click on it if it's true), set network.dns.disablePrefetch to true, set network.websocket.enabled to false,


Although not necessarily a security risk, your MAC Address may be used for tracking, and later identification.

To do this, we use an interesting program called macchanger.
Macchanger, created by "Alvaro Lopez Ortega", is a program that quickly and easily spoofs your mac address.

Although a new and updated version of macchanger exists on Github, we'll be using the repository's version.

We actually need to install macchange. To do so:
1. Run `sudo apt-get install macchanger'

Although originally I wanted to set up a script to change the mac address every time you connected to a wireless network, I encountered a problem. The default network manager in Ubuntu, NetworkManager, deprecated pre-up, and post-down. The developers have said that they will not be bringing it back either. Interestingly, many of the commenters on the invalid bug-report page also inquire the removal, as they also were trying to use macchanger.

By creating an init script, we can make the program 'macchanger' run on boot.

1. Run `sudo nano /etc/init.d/changemac', and insert the following:


# Disable the network devices
ifconfig eth0 down
ifconfig wlan0 down

# Spoof the mac addresses
/usr/bin/macchanger -a eth0
/usr/bin/macchanger -a wlan0

# Re-enable the devices
ifconfig eth0 up
ifconfig wlan0 up

exit 0

Make sure to make it executable(`sudo chmod +x /etc/init.d/changemac').
This script will, on boot, take down wlan0 and eth0, change their mac-addresses, and then bring them back up. If need be, edit eth0 and wlan0 for your respective names on your system.

We now must actually the script run on boot. This can be done by running 'update-rc.d'.
2. Run `sudo update-rc.d changemac defaults 10'

On each reboot, your mac address should change, without any implications in regard to connectivity.


It's commonly said by in-experienced users of all distributions that Linux cannot get viruses(Mac users also say this). But in reality, they can get viruses, but it's rare.
As described here, many Linux Trojans/Viruses/Worms have been made, but with little success. Although there is little chance of actually getting one, it's considered a good gesture to others, for you to scan for viruses. -- "If you are going to trade files in a Windows world, you'll need to scan those files for viruses. You won't get infected, but you may help infect someone else."
i.e; You may forward an email through your email that contains a windows virus.

Some Windows viruses can also be run through Wine.

We'll be using ClamAV, an open-source anti-virus program.
We first have to install it.

1. Run `sudo apt-get install clamav clamtk clamav-daemon'

Once finished installing, we must update our 'AntiVirus definitions'.
2. Run `sudo freshclam'
This may take awhile.

ClamAV can be run in three ways: Manually in the terminal, manually through a GUI, or as a daemon.

I'm going to run it as a GUI.
It can be run as a GUI by opening the terminal and typing running `clamtk'.

When you open clamtk, you're showed options in regard to how you want to run ClamAV. It's very simple and needs no explanation. You can set up an automatic schedule for scanning in Advanced->Scheduler.

Originally, I wanted to make it so that Firefox would scan all downloaded files using ClamAV. I found the addon Fireclam which is a Firefox mod that scans downloaded files through ClamAV, and gives you a warning if it returns anything.  
The problem with it, is that on download, Firefox freezes for 3-5 seconds while the scan is actually going on. This is a huge inconvenience and to me makes it unusable. I'm keeping it up here purely to show that it exists. ClamAV can also be set-up with Thunderbird.

Note: ClamAV does _not_ delete any files. That's up to you. It purely notifies you to the existence. 


Something a lot of people don't realize is that DNS is completely unencrypted.
We're going to add encryption which will prevent spying.
To do this, we're going to use OpenDNS's DNSCrypt.

So, we want to download the current version, dnscrypt-proxy-1.4.0.
1. Run `sudo add-apt-repository ppa:shnatsel/dnscrypt'

2. Run `sudo apt-get update'

3. Run  `software-properties-gtk', go to "Other Software", and tick the source-code option for shnatsel/dnscrypt.

Now we want to confirm that the ppa is actually secure. To do this..

4. Run `sudo apt-get source --download-only dnscrypt-proxy'
Generate a SHA256 signature for the source.
5. Run `sha256sum dnscrypt-proxy_1.4.0.orig.tar.bz2'
Pull the official signature from the DNSCrypt website.
6. Run `dig +short +dnssec TXT'

Now compare the results. If they're the same, you're ready to go.

Now actually installing, and setting everything up.
7. Run `sudo apt-get install dnscrypt-proxy'

8. Run `nm-connection-editor', and edit your connection. Go to IPv4 Settings and select 'Automatic (DHCP) addresses only' for the "Method". In the DNS servers, set it to:

This will make it so that by default, is used for DNS.

Due to a bug(?) in apparmor, you must run the following commands:

9. Run `sudo apt-get install apparmor-utils ; sudo aa-complain /etc/apparmor.d/usr.sbin.dnscrypt-proxy'

Now to setup dnscrypt, and make it start on startup.

10. Run `sudo nano /etc/init.d/dnscrypt' and put in:
# This is for the file /etc/init.d/dnscrypt
# Provides:          dnscrypt
# Required-Start:    $all
# Required-Stop:     $all
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: DNSCrypt for OpenDNS
# Description:       Launch the dnscrypt to communicate with OpenDNS

    echo "Starting dnscrypt"
    dnscrypt-proxy -u nobody -R opendns --local-port=53 --local-address= --daemonize 

    echo "Stopping dnscrypt"
    start-stop-daemon --oknodo --stop --quiet --retry=0/3/KILL/3 --exec "$DAEMON" > /dev/null

case "$1" in
   echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload}" >&2
   exit 1

exit 0

11. Run `sudo chmod +x /etc/init.d/dnscrypt', and `sudo update-rc.d dnscrypt defaults'.

Finally, we must edit /etc/default/dnscrypt-proxy.

12. Run `sudo nano /etc/default/dnscrypt-proxy'
Make sure that the "local-address" is set to "", "resolvconf" is set to "on", and "user" is set to "nobody",

And then reboot.

Now you'll be resolving with encryption. You can confirm you're using it correctly by going to

You can also run `sudo tcpdump -i any -n -A', which will display the ASCII output of the packets going in/out of port 443(since it uses port 443, not 53). You can then run `dig' in another terminal, and you should see encrypted text through tcpdump.

Make sure that /nonexistent exists, and is chowned to nobody:nogroup(`sudo sudo chown nobody:nogroup /nonexistent')


Evil-Maid Attacks

I won't be covering prevention of evil-maid attacks in this post due to the limitation of what one can actually do to prevent against an evil-maid attack. However, one example of what you can do is moving the boot partition in Ubuntu to a secure USB stick. A guide on how to do this can be found here.

But in reality, if somebody is able to tamper with your computer while it's not in your possession, they could install a hardware keylogger to get your encryption key.

ColdBoot Attacks

Again, I won't be covering much when it comes to coldboot attacks.
Most computers these days use DDR3 ram, which as far as I can find, aren't vulnerable to coldboot attacks. I will however give recommendations to stop the theoretical attack.

1. Set an Administrator password for the BIOS.
Although this wouldn't help if an attacker were to take the ram out of your system, and put it into theirs then dump it, it will delay how long it takes for the ram to be dumped.

2. Turn off Quickboot/Fastboot in your BIOS.
Not all computers support this, but some do. By turning off Quickboot/Fastboot, your system will 'check' the memory on boot, thus overwriting everything.


File Removal

As most readers will know, deleting files through usual methods(and the command `rm') only remove the "links" to the files contents on the harddrive. To remove files securely, you can use the program BleachBit
You can install it by running `sudo apt-get install bleachbit'. 
To securely delete a file, run `bleachbit -s file.txt'. It can also be used on directories.

Once of the problems with 'secure file removal', is that it only 'securely'(?) deletes the current contents of files. If the file has been edited at all, then reminisce of it may still exist.

Credit: BleachBit

This diagram explains it well; using secure removal tools, only the green blocks would be removed. The red blocks are old versions of the files. 
To deal with this, and delete all un-used disk space, you can use BleachBit as a cleaner.
To do this, you can run `sudo bleachbit  -o -c system.free_disk_space'. NOTE: This will take a long time to use your harddrive. It creates a file with random data that fills up the harddrive, then deletes it. If you're using an SSD, _DO NOT_ use this.

Bleachbit can also be used for other things. you can view them by running `bleachbit --gui'.

With all of these security measures implemented, I am confident that my computer is fairly secure from external, and remote hackers. It's much more of a hobbyist thing. If you really need good secure, use Tails. After all, one could always torture you for access.

I've personally done everything that is shown in this blog, as well as participate in 'good practise', such as shutting down my computer when I'm not using it.

Sunday, 25 May 2014

Facebook "Skype-to-Email" leak [$3,000 Bounty]

Facebook Bug Bounty



 In the middle of January of 2014, I submitted a bug to Facebook through its bug bounty program.

The bug was effectively a Skype account email disclosure. You would find somebodies Skype name, add them on Skype(they didn't have to accept you), and then login to Facebook with your Skype.

Here's a look at how it worked exactly:

In Facebook's "Find Friends" feature, you can login to your Yahoo,Outlook,Skype, and other accounts to add people into your contacts list on facebook(and then in turn add them, I guess).

The feature in question

By logging into your skype account on the feature, and pressing "Find Friends", you were submitted to the next page.

The prompt "Would you like to send friend invites to all of your imported contacts?" came up, which you would either submit no, or yes.(No was obviously suggested)

Then it would show the names, and skype names of the imported people, asking if you want to "Send Invites", or "Skip". Skip was also suggested.

We'd then be redirected back to the original "Find Friends" page.

 Then, loading the page , in the sub-section "Contacts Imported (not yet invited)"...


(Note: It actually displayed full emails, not just partial)

So I instantly emailed Facebook with the information.

After a back-and-forth about the bug, I was told to wait awhile for it to be fixed.

And then finally, I receive this email..

And, was I surprised.
I didn't consider this a massive bug and expected to get the minimum reward of $500.

Well, I guess that's it.

Saturday, 24 May 2014

SQL Injection on subdomain /, subdomains


Whilst looking for some bugs in ebay, I came across the domain It appears to be a domain for phone users on the old "Three" phone carrier/network, but I'm unsure. Three was bought out by Vodafone awhile ago.

The website is the exact same as,, etc.
The database itself was most likely part of, too.

On the third tab of the page, there's a link to the 'Categories' section. -- If anybody has ever used eBay before, they would understand what this is; a list of categories as to where you can view items to buy.(Or in this case, go into a sub-category.)

Instinctively, I saw that there were a few $_GET parameters being used, so I just put a simple apostrophe into the end of the first parameter, "emv_CatParent".
To my amazement, it came back with a half-completed page. -- Pretty much the poster-child of a blind SQL Injection.

I had trouble actually exploring this vulnerability, as I came to figure out that Microsoft SQL Server was being used for the backend, not a unix-based one. This created problems.

Due to my lack of MSDB knowledge, I had to load the website into sqlmap and do everything through there.

First, I scanned the parameter to see if my assumption was right.
[INFO] GET parameter 'emv_CatParent' is 'Generic UNION query (NULL) - 1 to 10 columns' injectable

Not only that, but;
[01:34:38] [INFO] GET parameter 'emv_CatParent' seems to be 'Microsoft SQL Server/Sybase stacked queries' injectable

Which means possible file write/read. - I didn't look further into this though.

I explored column names, but no further.
Here's some screenshots:

'ebayDB' database.


Tables available in the 'ebayDB' database.

List of columns from the 'payment_old' table.

No hash for Admin user?(sa).. Uhm.. YOLO I guess.

And finally..


[*] Date of discovery: 19/05/2014
[*] Date of report to eBay: 19/05/2014
[*] Date of patch/deployment: 24/05/2014
[*] Public Disclosure: 25/05/2014


Joshua Rogers - (@MegaManSec)

Friday, 23 May 2014

BCrypt for PHP

(This was originally posted in 2012, so numbers may be incorrect per current hardware)

What is BCrypt, and why should you care about it?

BCrypt is a hashing algorithm based upon the BlowFish cipher. Not to be confused with the fish, the BlowFish cipher originally created in 1993 by Bruce Schneier, and is still one of the best encryption methods currently available, in my opinion.

BCrypt is currently implemented in the crypt() function in PHP >5.3.7. It is implemented in previous versions, but a bug was found that affected the previous versions of PHP.

Here is an example of using BCrypt:

function hash_pwd_bcrypt($password, $salt) {
$cost = 15; // must be in range 04 – 31

// The salt can only contain the characters “./0-9A-Za-z” and the length must be > 2, so the input gets md5ed
return crypt($password, ‘$2y$’ . sprintf(‘%02d’, $cost) . ‘$’. md5($salt) . ‘$’);
I recently created a thread on regarding BCrypt password hashing integration into vBulletin. The thread can be found here –

Now we know what BCrypt is, why should you use it?

Simply, it is more secure.

Plain MD5 is obsolete, and is highly vulnerable to multiple attacks, and every hash can be pre-calculated, meaning somebody with the power and the space, could pre-calculate every MD5 hash, then compare it to the password used.

MD5 with a salt is okay aswell, but is still highly vulnerable to dictionary attacks / brute force attacks, as it takes one second to generate over 6-billion MD5 hashes per second.
Assuming the salt is three characters long, and is [A-Za-z0-9] (238328 possible unique salts), and either the salt has not been exposed for some reason(highly unlikely), or every single possible salt has been used in a database, the hardware could generate 6,000,000,000/238328 -- 25,175 MD5 hashes, using all possible salts.

With Ubuntu's dictionary file(/etc/dictionaries-common/words) containing nearly 100,000 words as of the moment, it would take an attacker using basic hardware just a few seconds to attempt to crack every salted hash, using the dictionary. It would take only 10's of minutes to attempt the dictionary with numbers at the end of the words.

If targeting a single password, and a salt is known, then is goes back up to 6-billion hashes per second -- Even if you have a salt.
Most, if not all web-applications use a salt that is stored in the same was as a password hash.

With today's hardware, BCrypt hashes can only be generated at around 4,000-5,000 hashes per second.

That number depends on the 'cost' that is set when hashing the password.


When implementing BCrypt, you have to provide a 'cost' parameter.

The higher the cost, the longer it takes to hash the password, and the longer it takes an attacker to crack the password.

The amount of iterations the hashing goes through is: 2 ^ cost.
So if the cost is 3, the password gets hashed 8 times.
Much like if somebody were to do md5(md5(md5(md5(md5(md5(md5(md5($password))))))))

But remember, changing the cost will change the encryption, so neither you, nor hackers can just change the cost to make the encryption faster.
A change of cost makes all previous hashes invalid.

A normal user shouldn’t mind about a 2 second delay for logging in, as nearly every website nowadays has a ‘remember me’ button, which usually just extends the cookie length.

TL;DR: Use BCrypt.

BCrypt for vBulletin –
BCrypt for other PHP applications –
Crypt manual for PHP –