Friday, 4 July 2014

PTV; The police, and the aftermath.

For backstory regarding the PTV story, the following articles should be read:

(Sydney Morning Herald) Schoolboy hacks Public Transport Victoria website - PTV #1
(Wired) Teen Reported to Police After Finding Security Hole in Website - PTV #2
(ABC) Melbourne schoolboy exposes security flaw in Public Transport Victoria's website - PTV #3


This blog entry is more a "diary" of what happened after the story broke.

Originally, I found the bug on the 26th of December, 2013, and around 2AM.
I reported the bug at around 3AM to around 30 company emails.

On the 6th of January, 2014, the original reporter(Adam Carey) was contacted by PTV, and was told that PTV had contacted the police(this was assumed that, if he didn't publish the story, they wouldn't contact the police; but this is unknown)

On the 7th of January, 2014, the story was run in The Age(Fairfax) newspaper.




On Thursday, the 8th of May, 2014, at 8:15AM, 6-8 fully armed police officers showed up at my place of residence(my house). Three of them were e-crime. 

A warrant was served to me, and two e-crime officers went into my room and started to catalogue my electronic belongings, and then seal them for evidence.

Two of the other(non e-crime) officers sat me down, and started asking me general questions, such as how I was, etc. I commented to them how I had been warned around a week earlier that a search warrant may have been approved by the court, and would subsequently executed(I have a contact). They were definitely stunned, but we didn't speak of it other than that.

Interestingly, the day before, I was given information by somebody else in regard to somebody that was going to team-kill me at the end of a game. i.e; contacts are good.


Whilst talking about general stuff(and filling out forms w/ information like my age, my name, etc.), the third e-crime officer was asking me questions regarding security, such as "How many websites do you think are susceptible to SQL Injection?", and "What sort of encryption do you use?".

I suspect the reason for 3-4 armed police officers being there, was incase there were any "incidents", such as either 1. destroying of property(my harddrive), or 2. if I were to try to run away(lolwut); nothing happened, though.




Halfway through this, I decided the best thing I could do was 'give up' my encryption keys. I let the third e-crime officer (/that was talking to me) know that he could just ask for the encryption code, because he could have it. 

If I had "anything to hide(it hurts me to type this), I would have securely deleted it after I had the heads-up, no? That being said, I didn't.

They could have just gotten a court order for it, anyway.

(Also, my laptop, which uses DDR2 ram, was on at the time, so they could have used a Cold Boot Attack, or some other side-channel attack.)

After they had finished taking my stuff, a total of 10 items were taken.

1. My Laptop
2. My Home-Server
3. 1 USB Stick
4. 1 USB Stick

5. 1 USB Stick

6. An SD-Card
7. My Samsung Phone
8. A "Phablet"(which had only been used once.)
9. An Old Laptop(that didn't have a harddrive in it)
10. A Harddrive(From that old laptop)



Interestingly, they missed a few things. I later found another SD card, another USB, and an old-old-old phone(from 2006), all on my desk. Luckily I found that USB, because it meant that I could continue to watch movies on my television.


The thing I'm most 'annoyed' at, is the fact they took my phone. How else am I going to talk to hot girls(such as Lara(non-aus body #1) & Danae)?






After the search warrant was conducted, I was "officially" arrested. I wasn't charged with anything, though.

Due to the circumstances, I wasn't taken in the back of a police car. I was told just to make my own way to the police station within the next 15 minutes through my own means(driving).




When I made it to the police station, I was put in an interview room, and was read the charge that they suspected I had broken.

The charge was "Unauthorised Access, Modification, or Impairment with Intent to Commit a Serious Offence", which apparently features a minimum of 5 years imprisonment? (What?)


They ran through the normal questions as to what happened, my side of the story etc., in a recorded interview, with 2 police officers. Interestingly(and unsurprisingly, I guess), they did the good-cop bad-cop routine.


The interview took around 2 hours in total, and after it was done, I was free to go.




On the 2nd of July an "offer" was made, where I could sign a document that I acknowledged that I had broken the law, and get an official police caution.
I ended up taking it.

It doesn't get added to my record, but if I break the law in the same way, in the future, it will be re-added on(For 5 years, then it's completely deleted).


So, I guess the moral of the story is: Don't exploit any vulnerabilities you find without permission; whether you're doing the "right thing" or not?

Tuesday, 10 June 2014

Securing Ubuntu-Desktop From the Bad-Guys, and the Good-Guys.

Securing your Ubuntu Desktop OS from intruders

Recently I have become interested in securing my laptop from predators such as hackers, thieves, and law enforcement.
To do this, I've explored various programs to run; and how to run them, without interrupting usability by the average user.

In this blog we'll be running through vectors of attacks that one could use to gain access to your unencrypted data.


Before starting, the following must be known:

1. The author of this article is currently running Ubuntu 14.04 LTS(Trusty), and all commands and patches work on it for the author. The author accepts no liability when it comes to these commands/patches being run by other users; this is purely informational.
2. It is assumed Full-Disk-Encryption is being used.
3. It is assumed your $HOME directory is encrypted using ecryptfs, with filenames encrypted. This can be checked using the command `ecryptfs-verify -h -e'
4. It is assumed you do not have the evil program called Java, or any of its counterparts like IcedTea, etc. installed.


When you're told to run the program 'Nano', you can use vim,vi,emacs, etc. Nano is purely the text editor that I use. To exit out of Nano, you press control-x.






FireWire attacks

Firewire has for awhile been known to allow attackers to gain access to a computer's Physical memor[RAM], and enable the attacker to grab the encryption key used for devices that are mounted.
The most obvious method of defeating this attack is by not compiling the kernel with any firewire modules included, but for the sake of this article, I'll include methods of mitigation. After all, some Ubuntu users probably wouldn't be able to compile their own kernel every update.

To mitigate the risks with firewire, we will disable them in a blacklist file in modprobe.d.

1. Open up /etc/modprobe.d/blacklist-firewire.conf by running `sudo nano /etc/modprobe.d/blacklist-firewire.conf'
2. Remove the contents(or comment everything out) and replace it with the following:
# Prevent automatic loading of firewire module(s).

blacklist ohci1394
blacklist sbp2
blacklist dv1394
blacklist raw1394
blacklist video1394

blacklist firewire-ohci
blacklist firewire-sbp2
blacklist firewire-core
blacklist firewire-net
blacklist firewire-serial

# Prevent manual loading of firewire module(s).

install ohchi1394 false
install sbp2 false
install dv1394 false
install raw1394 false
install video1394 false

install firewire-ohci false
install firewire-sbp2 false
install firewire-core false
install firewire-net false
install firewire-serial false

This will 1. blacklist all the firewire modules from starting at boot, and 2. prevent loading of firewire through forceful techniques.

After doing this, you must run `sudo update-initramfs -k all -u' for it to take effect on next boot.





Hardening Firefox

 

The abilities of web-browsers are not only astounding, but also extremely vulnerable. With 0-day exploits being found for nearly everything, the bad guys are always looking for ways to exploit your browser.
Methods used to exploit browsers are usually split up into two parts: exploiting the actual browser, and exploiting addon(such as Adblock and Acrobat Reader).


Using the method I describe should mitigate most, if not all techniques involved in the exploitation of Firefox, and addons used.


Most services when installed create a user for themselves, where they cannot escape from without some sort of local root kernel exploit. Unlike services, firefox is normally run at the same permissions as the user running it, which entails an attacker to be able to gain the same permissions of the user. With access, an attacker could record the keystrokes of the user, and wait until they run 'sudo' to gain root access(or, god forbid, somebody has nopasswd enabled on their account.)

By creating a user specifically for firefox, we lock it into its own folder where it [shouldn't be able to] escape.



First off, we want to create our new user called 'firefox'.

1. Run 'sudo adduser --system --quiet --shell /bin/false --group --disabled-password --disabled-login firefox' in the terminal.



The commandline(and all references to) 'firefox' is a link to /usr/bin/firefox, which is just a launcher script, so we can move that to something like 'firefox-start'.

2. Run `sudo mv /usr/bin/firefox /usr/bin/firefox-start' in the terminal.

Now we want to recreate the firefox file, and make it execute as our 'firefox' user, with all of the parameters that it normally would.
To do this, we must make a script to be run when using the command 'firefox'.


We have two options here. We either make a very simple script to run Firefox as the 'firefox' user, or we use some X11 trickery.

The problem with the first, is that an experienced hacker could control all X11 activity. Including logging keystrokes, injecting keystrokes, taking screenshots, etc.

The problem with the second, is that extensions such as XRANDR will not work. Another highly problematic downside is that you cannot copy-and-paste from your browser into another application. You can copy-and-paste from other applications into the browser, but not the other way around. This makes it incredibly difficult if you want to copy, for example, a quote from Wikipedia into an email.

Due to not having a solution to this, I've decided to show you how to do both.

-----

Vulnerable Method


This method gives the reader a very easy way of doing things, and is probably OK for the average user.

Open up /usr/bin/firefox, which should now be an empty file, and place a script in it so it will run firefox was the user 'firefox'.
3[.1]. sudo nano /usr/bin/firefox
And enter the script:
#!/bin/bash
sudo -H -u firefox "/usr/bin/firefox-start" "$@"

The -H flag is used to tell the system that we want to set our home directory to /home/firefox/. -u is used to tell the system that we want to run the program as the user 'firefox', and the last two flags tell the system to run /usr/bin/firefox-start(the REAL firefox script) with the flags $@, which means it will run with whatever /usr/bin/firefox was run with.

We need to allow the 'firefox' user to access X, so we go to "System -> Preferences -> Startup Applications" and add a new startup program.
The name and comment is irrelevant, but the command should be this:
xhost +SI:localuser:firefox



-----

'Paranoid' Method

This method, as stated above, stops the user from copy-and-pasting from the browser into a different program. It is much more safe, and is considered secure.




3[.2]. Run `sudo nano /usr/bin/firefox', and put in..

#!/bin/bash

xa="/home/firefox/.Xauthority"

exec newgrp firefox <<-EOF

 if [ -e "$xa" ]; then
  if [ ! -r "$xa" ]; then
   rm -f "$xa"
  elif [ ! -w "$xa" ]; then
   mv "$xa" "$xa.tmp" && cp "$xa.tmp" "$xa" && rm -f "$xa.tmp" && chmod 660 "$xa"
  fi
 fi &&
 xauth -q -i -f "$xa" generate "$DISPLAY" . "untrusted" && chmod g+rw "$xa" &&
 sudo -H -u firefox XAUTHORITY="$xa" "/usr/bin/firefox-start" "$@"

EOF

This script will run every time you open up firefox.

Now we need to make the file executable.

[4]. Run `sudo chmod +x /usr/bin/firefox'.

 As you can see in the script, it relies on the usage of the 'newgrp' program being able to access the 'firefox' group. To do this, you must add yourself into the 'firefox' group.

[5]. Run `sudo useradd -a -G firefox $USER'.
This will add you into the group of 'firefox'.
You will now need to reboot to make this come into effect.


To allow changes to be made by groups, you must run a chmod command on the user folder.
[6]. Run `chmod -R g+rwxs ~firefox'

This allows anybody in the 'firefox' group is make changes in the /home/firefox/ directory.

-----


Now you can run 'firefox', and it'll run the browser as the user 'firefox', not as your user. Yay! We got most likely the hardest part finished.

Audio


I, like many of you probably do, like to play music in my browser. Whether it be through HTML5, or Flash. But since our new user 'firefox' isn't part of the 'audio' group, we must add ourselves to it.

[?]. Run `sudo usermod -a -G audio firefox'
Now with another reboot(or logout), audio should be able to be played.


Finally, due to multiple users using PULSE(your account, and then flash in the 'firefox' user), we have to set up 'firefox' to use a slave server, and your real user as the master.


First of all, we want to copy the default pulseaudio settings to your home directory.

[?]. Run `mkdir ~/.pulse/ ; cp /etc/pulse/default.pa ~/.pulse/'

Now edit it.

[?]. Run `nano ~/.pulse/default.pa'
Add to the bottom of the file: "load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1" and save.

And that's it. Firefox will automatically use use that as a master server, thus becoming a slave.

There are probably security implications to do with this, but they would be minor.(At most, listening to microphone, which I doubt anyways)



Addons

 Although mostly un-important, it might interest some people to install some addons in Firefox to enhance your browsing privacy.

These include:

Adblock Edge - Basically AdBlock without the whitelisted ads. Removes ads & unwanted elements on webpages. Recommend using https://www.fanboy.co.nz/ in conjunction too.
HTTPS-Everywhere - Trys to use HTTPS/SSL on webpages known to work with them.
BetterPrivacy - Handles long-term, non-HTTP cookies such as flash cookies.(In options, make sure 'Always ask' is unchecked.)
User Agent Switcher - Makes it possible for you to change your User-Agent to something else. Download http://techpatterns.com/downloads/firefox/useragentswitcher.xml and import it through the application in Firefox(Edit User-Agents).
Smart Referer - Only sets referrer if staying on the same page.

In the page "about:addons"(type it into your URL-bar), go to "Plugins", and make sure everything is set to "Ask to Activate".

In the page "about:config"(type it into your URL-bar), set geo.enabled to false(double click on it if it's true), set network.dns.disablePrefetch to true, set network.websocket.enabled to false,





MAC-Address

Although not necessarily a security risk, your MAC Address may be used for tracking, and later identification.

To do this, we use an interesting program called macchanger.
Macchanger, created by "Alvaro Lopez Ortega", is a program that quickly and easily spoofs your mac address.

Although a new and updated version of macchanger exists on Github, we'll be using the repository's version.

We actually need to install macchange. To do so:
1. Run `sudo apt-get install macchanger'



Although originally I wanted to set up a script to change the mac address every time you connected to a wireless network, I encountered a problem. The default network manager in Ubuntu, NetworkManager, deprecated pre-up, and post-down. The developers have said that they will not be bringing it back either. Interestingly, many of the commenters on the invalid bug-report page also inquire the removal, as they also were trying to use macchanger.

By creating an init script, we can make the program 'macchanger' run on boot.


1. Run `sudo nano /etc/init.d/changemac', and insert the following:

#!/bin/bash


# Disable the network devices
ifconfig eth0 down
ifconfig wlan0 down


# Spoof the mac addresses
/usr/bin/macchanger -a eth0
/usr/bin/macchanger -a wlan0


# Re-enable the devices
ifconfig eth0 up
ifconfig wlan0 up


exit 0


Make sure to make it executable(`sudo chmod +x /etc/init.d/changemac').
This script will, on boot, take down wlan0 and eth0, change their mac-addresses, and then bring them back up. If need be, edit eth0 and wlan0 for your respective names on your system.

We now must actually the script run on boot. This can be done by running 'update-rc.d'.
2. Run `sudo update-rc.d changemac defaults 10'

On each reboot, your mac address should change, without any implications in regard to connectivity.



Anti-Viruses

It's commonly said by in-experienced users of all distributions that Linux cannot get viruses(Mac users also say this). But in reality, they can get viruses, but it's rare.
As described here, many Linux Trojans/Viruses/Worms have been made, but with little success. Although there is little chance of actually getting one, it's considered a good gesture to others, for you to scan for viruses. -- "If you are going to trade files in a Windows world, you'll need to scan those files for viruses. You won't get infected, but you may help infect someone else."
i.e; You may forward an email through your email that contains a windows virus.

Some Windows viruses can also be run through Wine.

  
We'll be using ClamAV, an open-source anti-virus program.
We first have to install it.

1. Run `sudo apt-get install clamav clamtk clamav-daemon'

Once finished installing, we must update our 'AntiVirus definitions'.
  
2. Run `sudo freshclam'
This may take awhile.


ClamAV can be run in three ways: Manually in the terminal, manually through a GUI, or as a daemon.

I'm going to run it as a GUI.
It can be run as a GUI by opening the terminal and typing running `clamtk'.


When you open clamtk, you're showed options in regard to how you want to run ClamAV. It's very simple and needs no explanation. You can set up an automatic schedule for scanning in Advanced->Scheduler.


Originally, I wanted to make it so that Firefox would scan all downloaded files using ClamAV. I found the addon Fireclam which is a Firefox mod that scans downloaded files through ClamAV, and gives you a warning if it returns anything.  
The problem with it, is that on download, Firefox freezes for 3-5 seconds while the scan is actually going on. This is a huge inconvenience and to me makes it unusable. I'm keeping it up here purely to show that it exists. ClamAV can also be set-up with Thunderbird.



Note: ClamAV does _not_ delete any files. That's up to you. It purely notifies you to the existence. 



DNSCrypt

Something a lot of people don't realize is that DNS is completely unencrypted.
We're going to add encryption which will prevent spying.
To do this, we're going to use OpenDNS's DNSCrypt.

So, we want to download the current version, dnscrypt-proxy-1.4.0.
1. Run `sudo add-apt-repository ppa:shnatsel/dnscrypt'

2. Run `sudo apt-get update'

3. Run  `software-properties-gtk', go to "Other Software", and tick the source-code option for shnatsel/dnscrypt.


Now we want to confirm that the ppa is actually secure. To do this..

4. Run `sudo apt-get source --download-only dnscrypt-proxy'
Generate a SHA256 signature for the source.
5. Run `sha256sum dnscrypt-proxy_1.4.0.orig.tar.bz2'
Pull the official signature from the DNSCrypt website.
6. Run `dig +short +dnssec TXT dnscrypt-proxy-1.4.0.tar.bz2.download.dnscrypt.org'


Now compare the results. If they're the same, you're ready to go.


Now actually installing, and setting everything up.
7. Run `sudo apt-get install dnscrypt-proxy'

8. Run `nm-connection-editor', and edit your connection. Go to IPv4 Settings and select 'Automatic (DHCP) addresses only' for the "Method". In the DNS servers, set it to:
127.0.0.2

This will make it so that by default, 127.0.0.2 is used for DNS.

Due to a bug(?) in apparmor, you must run the following commands:

9. Run `sudo apt-get install apparmor-utils ; sudo aa-complain /etc/apparmor.d/usr.sbin.dnscrypt-proxy'

Now to setup dnscrypt, and make it start on startup.

10. Run `sudo nano /etc/init.d/dnscrypt' and put in:
#!/bin/sh
# This is for the file /etc/init.d/dnscrypt
### BEGIN INIT INFO
# Provides:          dnscrypt
# Required-Start:    $all
# Required-Stop:     $all
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: DNSCrypt for OpenDNS
# Description:       Launch the dnscrypt to communicate with OpenDNS
### END INIT INFO
DAEMON="/usr/sbin/dnscrypt-proxy"
NAME="dnscrypt"

dnscrypt_start()
{
    echo "Starting dnscrypt"
    dnscrypt-proxy -u nobody -R opendns --local-port=53 --local-address=127.0.0.2 --daemonize 
}

dnscrypt_stop()
{
    echo "Stopping dnscrypt"
    start-stop-daemon --oknodo --stop --quiet --retry=0/3/KILL/3 --exec "$DAEMON" > /dev/null
}

case "$1" in
    start)
   dnscrypt_start
   ;;
  stop)
   dnscrypt_stop
  ;;
  restart|force-reload)
   dnscrypt_stop
  dnscrypt_start
   ;;
    *)
   echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload}" >&2
   exit 1
   ;;
esac

exit 0


11. Run `sudo chmod +x /etc/init.d/dnscrypt', and `sudo update-rc.d dnscrypt defaults'.

Finally, we must edit /etc/default/dnscrypt-proxy.

12. Run `sudo nano /etc/default/dnscrypt-proxy'
Make sure that the "local-address" is set to "127.0.0.2:53", "resolvconf" is set to "on", and "user" is set to "nobody",

And then reboot.


Now you'll be resolving with encryption. You can confirm you're using it correctly by going to http://www.opendns.com/welcome/.

You can also run `sudo tcpdump -i any -n -A 208.67.220.220', which will display the ASCII output of the packets going in/out of port 443(since it uses port 443, not 53). You can then run `dig debug.opendns.com' in another terminal, and you should see encrypted text through tcpdump.

Make sure that /nonexistent exists, and is chowned to nobody:nogroup(`sudo sudo chown nobody:nogroup /nonexistent')



 

Evil-Maid Attacks

I won't be covering prevention of evil-maid attacks in this post due to the limitation of what one can actually do to prevent against an evil-maid attack. However, one example of what you can do is moving the boot partition in Ubuntu to a secure USB stick. A guide on how to do this can be found here.

But in reality, if somebody is able to tamper with your computer while it's not in your possession, they could install a hardware keylogger to get your encryption key.



ColdBoot Attacks

Again, I won't be covering much when it comes to coldboot attacks.
Most computers these days use DDR3 ram, which as far as I can find, aren't vulnerable to coldboot attacks. I will however give recommendations to stop the theoretical attack.


1. Set an Administrator password for the BIOS.
Although this wouldn't help if an attacker were to take the ram out of your system, and put it into theirs then dump it, it will delay how long it takes for the ram to be dumped.

2. Turn off Quickboot/Fastboot in your BIOS.
Not all computers support this, but some do. By turning off Quickboot/Fastboot, your system will 'check' the memory on boot, thus overwriting everything.










Unrelated



File Removal

As most readers will know, deleting files through usual methods(and the command `rm') only remove the "links" to the files contents on the harddrive. To remove files securely, you can use the program BleachBit
You can install it by running `sudo apt-get install bleachbit'. 
To securely delete a file, run `bleachbit -s file.txt'. It can also be used on directories.

Once of the problems with 'secure file removal', is that it only 'securely'(?) deletes the current contents of files. If the file has been edited at all, then reminisce of it may still exist.

Credit: BleachBit

This diagram explains it well; using secure removal tools, only the green blocks would be removed. The red blocks are old versions of the files. 
To deal with this, and delete all un-used disk space, you can use BleachBit as a cleaner.
To do this, you can run `sudo bleachbit  -o -c system.free_disk_space'. NOTE: This will take a long time to use your harddrive. It creates a file with random data that fills up the harddrive, then deletes it. If you're using an SSD, _DO NOT_ use this.

Bleachbit can also be used for other things. you can view them by running `bleachbit --gui'.










With all of these security measures implemented, I am confident that my computer is fairly secure from external, and remote hackers. It's much more of a hobbyist thing. If you really need good secure, use Tails. After all, one could always torture you for access.

I've personally done everything that is shown in this blog, as well as participate in 'good practise', such as shutting down my computer when I'm not using it.

Sunday, 25 May 2014

Facebook "Skype-to-Email" leak [$3,000 Bounty]

Facebook Bug Bounty

 

 

 In the middle of January of 2014, I submitted a bug to Facebook through its bug bounty program.



The bug was effectively a Skype account email disclosure. You would find somebodies Skype name, add them on Skype(they didn't have to accept you), and then login to Facebook with your Skype.



Here's a look at how it worked exactly:



In Facebook's "Find Friends" feature, you can login to your Yahoo,Outlook,Skype, and other accounts to add people into your contacts list on facebook(and then in turn add them, I guess).

The feature in question

By logging into your skype account on the feature, and pressing "Find Friends", you were submitted to the next page.

The prompt "Would you like to send friend invites to all of your imported contacts?" came up, which you would either submit no, or yes.(No was obviously suggested)

Then it would show the names, and skype names of the imported people, asking if you want to "Send Invites", or "Skip". Skip was also suggested.

We'd then be redirected back to the original "Find Friends" page.

 Then, loading the page https://www.facebook.com/invite_history.php , in the sub-section "Contacts Imported (not yet invited)"...


 

(Note: It actually displayed full emails, not just partial)

So I instantly emailed Facebook with the information.

After a back-and-forth about the bug, I was told to wait awhile for it to be fixed.


And then finally, I receive this email..





And, was I surprised.
I didn't consider this a massive bug and expected to get the minimum reward of $500.

Well, I guess that's it.

Saturday, 24 May 2014

SQL Injection on eBay.com.au subdomain / eBay.de, eBay.fr subdomains

eBay



Whilst looking for some bugs in ebay, I came across the domain http://3.ebay.com.au/. It appears to be a domain for phone users on the old "Three" phone carrier/network, but I'm unsure. Three was bought out by Vodafone awhile ago.

The website is the exact same as http://imode.ebay.de/, http://imode.ebay.fr/, etc.
The database itself was most likely part of http://www.ebay.com/, too.


On the third tab of the page, there's a link to the 'Categories' section. -- If anybody has ever used eBay before, they would understand what this is; a list of categories as to where you can view items to buy.(Or in this case, go into a sub-category.)

Instinctively, I saw that there were a few $_GET parameters being used, so I just put a simple apostrophe into the end of the first parameter, "emv_CatParent".
To my amazement, it came back with a half-completed page. -- Pretty much the poster-child of a blind SQL Injection.

I had trouble actually exploring this vulnerability, as I came to figure out that Microsoft SQL Server was being used for the backend, not a unix-based one. This created problems.

Due to my lack of MSDB knowledge, I had to load the website into sqlmap and do everything through there.

First, I scanned the parameter to see if my assumption was right.
Viola..
[INFO] GET parameter 'emv_CatParent' is 'Generic UNION query (NULL) - 1 to 10 columns' injectable

Not only that, but;
[01:34:38] [INFO] GET parameter 'emv_CatParent' seems to be 'Microsoft SQL Server/Sybase stacked queries' injectable


Which means possible file write/read. - I didn't look further into this though.


I explored column names, but no further.
Here's some screenshots:



'ebayDB' database.


Databases

Tables available in the 'ebayDB' database.

List of columns from the 'payment_old' table.

No hash for Admin user?(sa).. Uhm.. YOLO I guess.






And finally..
:)






==Timeline==

[*] Date of discovery: 19/05/2014
[*] Date of report to eBay: 19/05/2014
[*] Date of patch/deployment: 24/05/2014
[*] Public Disclosure: 25/05/2014


==Credits==

Joshua Rogers - www.internot.info (@MegaManSec)

Friday, 23 May 2014

BCrypt for PHP

(This was originally posted in 2012, so numbers may be incorrect per current hardware)

What is BCrypt, and why should you care about it?



BCrypt is a hashing algorithm based upon the BlowFish cipher. Not to be confused with the fish, the BlowFish cipher originally created in 1993 by Bruce Schneier, and is still one of the best encryption methods currently available, in my opinion.


BCrypt is currently implemented in the crypt() function in PHP >5.3.7. It is implemented in previous versions, but a bug was found that affected the previous versions of PHP.

Here is an example of using BCrypt:

function hash_pwd_bcrypt($password, $salt) {
$cost = 15; // must be in range 04 – 31

// The salt can only contain the characters “./0-9A-Za-z” and the length must be > 2, so the input gets md5ed
return crypt($password, ‘$2y$’ . sprintf(‘%02d’, $cost) . ‘$’. md5($salt) . ‘$’);
}
I recently created a thread on vBulletin.org regarding BCrypt password hashing integration into vBulletin. The thread can be found here – http://www.vbulletin.org/forum/showthread.php?p=2369367



Now we know what BCrypt is, why should you use it?


Simply, it is more secure.

Plain MD5 is obsolete, and is highly vulnerable to multiple attacks, and every hash can be pre-calculated, meaning somebody with the power and the space, could pre-calculate every MD5 hash, then compare it to the password used.

MD5 with a salt is okay aswell, but is still highly vulnerable to dictionary attacks / brute force attacks, as it takes one second to generate over 6-billion MD5 hashes per second.
Assuming the salt is three characters long, and is [A-Za-z0-9] (238328 possible unique salts), and either the salt has not been exposed for some reason(highly unlikely), or every single possible salt has been used in a database, the hardware could generate 6,000,000,000/238328 -- 25,175 MD5 hashes, using all possible salts.

With Ubuntu's dictionary file(/etc/dictionaries-common/words) containing nearly 100,000 words as of the moment, it would take an attacker using basic hardware just a few seconds to attempt to crack every salted hash, using the dictionary. It would take only 10's of minutes to attempt the dictionary with numbers at the end of the words.

If targeting a single password, and a salt is known, then is goes back up to 6-billion hashes per second -- Even if you have a salt.
Most, if not all web-applications use a salt that is stored in the same was as a password hash.



With today's hardware, BCrypt hashes can only be generated at around 4,000-5,000 hashes per second.

That number depends on the 'cost' that is set when hashing the password.


Cost


When implementing BCrypt, you have to provide a 'cost' parameter.

The higher the cost, the longer it takes to hash the password, and the longer it takes an attacker to crack the password.

The amount of iterations the hashing goes through is: 2 ^ cost.
So if the cost is 3, the password gets hashed 8 times.
Much like if somebody were to do md5(md5(md5(md5(md5(md5(md5(md5($password))))))))


But remember, changing the cost will change the encryption, so neither you, nor hackers can just change the cost to make the encryption faster.
A change of cost makes all previous hashes invalid.

A normal user shouldn’t mind about a 2 second delay for logging in, as nearly every website nowadays has a ‘remember me’ button, which usually just extends the cookie length.


TL;DR: Use BCrypt.


Links:
BCrypt for vBulletin – http://www.vbulletin.org/forum/showthread.php?p=2369367
BCrypt for other PHP applications – http://www.openwall.com/crypt/
Crypt manual for PHP – http://php.net/manual/en/function.crypt.php

Why shared hosting is nearly NEVER the way to go.


(This was originally posted on October 17, 2012)

Shared Hosted

To most security-oriented people, the use of shared hosting is a big no-no when it comes to businesses with an online presence.
When it comes to normal, every-day companies without a team dedicated to security, things can be overlooked, or just completely unknown.

Bewilderment of shared hosting


What exactly is shared hosting?
Shared hosting usually consists of a dedicated server, and a lot of FTP accounts/users.
Every ‘user’ of the shared hosting gets there own account on the server, and access to a small portion of the resources.

Much like a share house, you basically get a room for yourself, and share the cost with other tenants the cost of resources(food,power,etc).


 Insecurity


Why is it insecure?

Well, as previously stated, shared hosting is much like an share house. You share the whole house with other tenants, and you all get a room for yourself.

In the sense of security; You have to trust all of the other tenants to 1) not steal anything, and 2) not lose their access, so somebody else can steal from them, AND you.

It wouldn't matter how secure your website is if another website hosted on the same server as yours isn't -- A hacker could gain access to another website on the server, and easily access the files on your website.


Another possibility is that an attacker could use an exploit to gain 'root'(admin) access to the server, and be able to control everything.
They would be able to delete your files, and upload malware to be distributed to your viewers/clients, ruining your reputation, and possibly ruining your business.

Example


Let's try out the domain belfastboatclub.com". By going to the website: http://www.yougetsignal.com/tools/web-sites-on-web-server/ , and entering 'belfastboatclub.com', we are presented with a list of 479 websites that share the same server with the Belfast Boatclub.

If a single one of those websites are vulnerable to hacking, that means belfastboatclub.com is too.



Conclusion

Not using shared hosting is very easy. By renting a VPS, which although is 'technically' shared, removes most of the risks associated with shared hosting, and potentially could be cheaper.

Why save $50 a year from not using a VPS, but potentially ruining your whole business?

tl;dr: if you are a business that actually cares about your data, don’t use shared hosting. (Just because you have your own IP address does NOT mean that you are not on shared hosting.)

Initial Commit.. I mean post.

This is a test of Blogger.

Bold

 Minor heading

Heading

Heading

Subheading