Just Another Security Blog

Sunday, 11 January 2015

Incorrect volume in PulseAudio indicator, with fix.

I was encountering a strange bug with PulseAudio, and the indicator/applet that is used to change the volume on my laptop.

I'm using external, Bose Companion 5 speakers, in Ubuntu, with PulseAudio through ALSA.

When I used the speakers, the audio would only come out of them if the pulseaudio("Sound Settings") indicator/applet was set to >90%. That is when audio began to work.

Strangely, it wasn't that it wasn't loud enough, it was because it just wouldn't actually start increasing the real volume.
91% volume in PulseAudio was 11%, 92% was 22%, etc. etc.




This was very irritating because I couldn't, through PulseAudio, choose to have the speakers at the volume, say, 7%.

`alsamixer' correctly set the speaker level, which is how I worked out that PuleAudio would be at around 91% for 10%, etc.

According to the helpful Raymond at bugs.freedesktop.org, "the USB audio only supports 6 channels, and has PCM playback volume control with a very small dB range, from -3.12dB to 0dB."

His recommendation was to add  " ignore_dB=1" to Pulse.

The way I did this, was add to it ~/.pulse/default.pa, since I had already set that file up when I set up my 'secure Ubuntu.'
If I hadn't set it up in ~/.pulse/default.pa, I would have to edit /etc/pulse/default.pa.

I found the line:
"load-module module-udev-detect" in default.pa and replaced it with
"load-module module-udev-detect ignore_dB=1"

And then restarted pulseaudio(`pulseaudio -k')

Likely, there is a way to set this "ignore_dB" option only for the external speakers, compared to the whole of PulseAudio. But the option doesn't seem the affect my internal speakers' usage.

Sunday, 23 November 2014

The state of the Australian infrastructure security is in shambles – and the government is making it worse.

"We take the security of our users' information extremely seriously" has been the go-to line for hacked websites and companies in recent years. But do companies really take actions to protect not only themselves, but others' from hackings?

With news that massive infrastructure such as the United States' Postage Service(USPS), the US weather systems' satellites, HSBC Turkey's infrastructure being hacked, one has to question the commitments that not only businesses take, but governments too.

While Australian government agencies, such as ASIO, warn about the threats in an attempt to further their funding, they do not actually take the actions to secure the Australian people of cyber-threats. If they really wanted to help Australia, they would work with companies that are considered vital to Australia.


The USA government recently reported that China could take down the US power-grid. But instead preventing it, they are simply fear-mongering to make the public feel as if they need more funding, and that we should be afraid of China.


As it is, a country-wide blackout would cause society to break-down, where it is every man for themselves.

This idea is explored in two films, "The Trigger Effect", and "Goodbye World".

In The Trigger Effect, the power goes out for an unspecified amount of days, leaving people in a state of confusion, where they must provide through themselves, and protect themselves, in any way possible. The movie has been compared to the true events of post-hurricane-Katrina, where looting and uncontrollable violence ensued.

In Goodbye World, the same concept goes. All of the communications go out in America, and chaos ensues. Riots, looting, mass-murders, etc..



To prevent events like this, governments need to take the risks seriously, and work to rectify them.
This includes setting up a way for companies to secure their network, and guidelines to do so.
Governments need to assign centres and contacts to converse with large businesses that are considered "infrastructure" to Australia, to find problems, and rectify them. This may include asking the public for help.


When it comes to a public citizen wanting to help, the government has made all sorts of blockades, blocking them from doing anything. They go on about "If you see something, say something", but they don't mean it.
"Hacking" websites is as simple as putting an apostrophe in the URL, to expose information. Under Australian law, putting an apostrophe into the URL without prior consent, is illegal.
If somebody sends you a link to a website, and that link exposes data the website owner doesn't want you to see, you are breaking the law.


One way of doing things correctly, is by allowing people to take a look at your website, as long as they do not 1. cost you money, and 2. you do not take/save any data, and only expose the most minimal amount of information required.

This is how a computer company that I worked with(not for), in Melbuorne, did it.
I had found out that they may have been hacked, so I looked on their website, and I found an SQL Injection hole. I contacted them with the information, and they were extremely grateful. The owner of the company made the programmers work all night until the bug was fixed. He then invited me to his office for a meeting, and thanked me again. He offered me a $1,000 reward, and a job.
All contact I made was under my real name, and I offered my phone number to converse on the phone too.

This is the way to do things. Instead of going on a witch-hunt, they worked with me to understand my concerns, and to rectify them.
They understood that the cyber world and the real world is very different when it comes to security, but both can be intertwined when it comes to users' data.

I'll finish off with this:

I came across this image recently:

Breaking the "letter of the law", is considered bad, even if it is within the interest of the public.

It shows hows security researchers are shunned, and generalized into a group of malicious hackers that want to cause trouble, vs. those that just want to help.
"See something, say something". More like "If you say something, expect to be fully investigated yourself."

Monday, 10 November 2014

`dpkg' format string vulnerability. CVE-2014-8625

A few days ago, I found a strange/stupid vulnerability in dpkg.

Dpkg is the package manager for Debian-based operation systems, such as Ubuntu.
It handles .deb files.

When creating a dpkg package / .deb a file, a 'control file' must be made. This includes information about the package, such as the package name, description of package, maintainer(s), and version of the package.

That control file is used to display the information before the package is installed.

I found that in the "Architecture" part of the control file, you could put formatting strings, such as %s, %d, etc., and it would output the stack pointer.

For my control file, I have this:

Package: backup
Architecture: %08x.%08x.%08x.%08x.%08x\n
Description: Stuff
maintainer: Joshua Rogers
Version: 1


When building the package, I receive this warning:

dpkg-deb: warning: parsing file 'folder//DEBIAN/control' near line 2 package 'backup:01485120.00415cf8.00000001.00000001.0000001c\n':
 '%08x.%08x.%08x.%08x.%08x\n
Description: Stuff

[....]
01485120.00415cf8 is the stack pointers


Friday, 31 October 2014

The Apt "buffer-overflow" - CVE-2014-6273 -- And why it isn't a real risk.

With the release of the Shellshock vulnerability, everybody hurried to fix their systems ASAP, and inform others about it. What happened around the same time went a little bit more unnoticed.

A "buffer overflow" in 'apt', found by the "Google Security Team", was reported and fixed in apt-0.7.9+deb7u5.
It made some news to those in the industry, and was considered very bad.

'apt' is the program that is used to download updates, and new programs in Debian-based Linux distributions, such as Ubuntu.
It is the same thing as yum, pacman, etc.

The main concern with this bug, is that it is in the way that apt handles its HTTP calls. So, when downloading a program, it will go and fetch 'mirrors.debian.org/whatever/', via the HTTP library that it has(It, for some reason, has its own.)

Since apt uses GPG/PGP for the signing of packages, HTTPS/SSL is not required for downloading files, as they are checked against the trusted list of signers in the system.

Since HTTPS/SSL is not required, a Man-In-The-Middle attack can be performed. Normally, a MITM attack would be pointless, due to the PGP/GPG signing of the packages.


The vulnerability that the Google Security Team found was a 'possible' buffer overflow in the way apt handles the hostname of the website that the package is hosted on.

Buffer overflow in libdkimtest - 2014: having buffer overflows in command flags

Yesterday, I found a buffer overflow in libdkimtest.

In this day and age, you'd think reputable programs like libdkim would be safe from buffer overflows in their commandline flags.

"The DKIM project is a portable library that signs and verifies emails using the OpenSSL library."
So it's kind of important.

Yet, you can produce a buffer overflow in it by running:
libdkimtest -i`perl -e 'print "a"x256'`


The vulnerable code itself is in handling the -i flag.

In dkim.h:
char szIdentity[256];     // for i= tag, if empty tag will not be included in sig


In libdkimtest.cpp:

case
      'i': // identity 
       if( argv[n][2] == '-' )
       {
       opts.szIdentity[0] = '\0';
       }
       else
       {
       strcpy(opts.szIdentity, argv[n] + 2 );
       }
       break;

Really.

You'd think that in 2014, programs such as libdkim which handle the signing of emails would be secure from buffer overflows in their commandline flags.


I guess not.

Ethical Hacking: Responsibility & Ethics

When it comes to finding bugs in systems, there are things that need to be considered as to whether or not what you are doing is really responsible.

If for example you are acting anonymously and demanding money for finding bugs, you are not being ethical, nor responsible.

Although it may be obvious to most, the fine-line of ethics has fallen short to some, and needs to be spelt out out to them.


1. Be transparent with everything

When dealing with anybody, you should make sure they know exactly what you are doing, where you are doing it, when you are doing it, and how you are doing it.
This includes, but is not limited to: Using your real name, real phone number, real email, real IP address.
The perception of the person that is doing the ethical hacking is important. If somebody with an email such as "xxX420_anonymouse_hacker_420Xxx@mail.ru" came along, and was using TOR, and had no visible/confirmable name in the email, then everybody involved is going to be spooked.

Everything you do should be relayed to the company, or documented for their sake.
Let them know at the first possible stage that you are an ethical hacker.



2. Do not gain access to anything that you do not need to. Do not gain access to any 'real' data.

If you find an information disclosure, such as an SQL injection, do not gain access to data.
You can prove things by making the request go to sleep, using SLEEP() in MySQL, or WAITFOR in MSSQL.
If you must get access to minimal data, get only the database names.


3. Confirm and understand vulnerabilities yourself

If for whatever reason you're using an automatic scanner, do not just copy and paste the results into an email and send them off.
Understand exactly what the vulnerability is, and confirm that it actually exists.
Automated scanners are prone to false positives and are not 100%.


If you understand the vulnerability yourself, you can help the company to fix the problem by explaining the exact reason it does what it does.

4. Be polite

As mentioned in the transparent subsection, if you use an email such as "xxX420_anonymouse_hacker_420Xxx@mail.ru", and email a company and say "I FOUND BIG BUG IN YOUR WEBSITE. PLZ SEND ME MONEY OR I HACK UR WEBSITE", it will not end well.

If a website developer does not understand what you are saying, or the vulnerability you are disclosing to them, do not lose your calm. You can further help them by sending sources and articles regarding the vulnerability-types.




I may be missing some, but I'm not sure.

Basically, don't be stupid about things, and realize that people are human -- imperfect.

Friday, 17 October 2014

Identity Theft Essay


(This was written for school-work, but due to it being related, I decided to put it up here.)

Identity Theft Essay – Joshua Rogers

With the age of the Internet upon on, identity theft has progressed to a full-time industry for criminals to delve into the lives of others, and attempt to rake in as much profit as possible.


Whether it be Russia, Romania, Ukraine, Moldova, America, Brazil, or China (all hubs for ID theft), identity theft can happen anywhere, at any time, to anybody, in different ways. Although normally people consider identity theft the same as creditcard fraud, it actually may consist of multiple layers.
The subdivision of identity theft is usually split into five sections:
Criminal Identity Theft(committing a crime under another person's name),
Financial Identity Theft,
Identity Cloning,
Medical Identity Theft,
and Child Identity Theft.


Although all are equally prevalent(with the exception of Child ID theft), those that participate in the thefts of identity normally stick to financial identity theft. There are more people doing financial identity theft and criminal identity theft, but in a lower magnitude, while there are less people doing identity cloning and medical identity theft, but in a larger magnitude.

Saturday, 27 September 2014

Having fun with passwords in Ubuntu RE: intruders/police/etc.

In movies, TV shows, and comics, the idea of a "trap passcode", "secondary passwords", "fake passwords", "kill-switch password", etc., is used every now and then, where if a bad-guy(or a good-guy) is provided with a passcode to something, only to find out that that passcode is set up purely for intruders.
Whether it be wiping the whole system, or a strange gas coming out of the console to concuss the person typing it, the idea is always the same.

In the real world, it's hard to do this sort of thing without it being detected. One method is using incorrect passwords through PAM. This is what I'll be detailing through this blog.


To set this up correctly, it needs to work in a way that after the script has run, it removes itself, and any traces of its actions.
If, say, you're in a corrupt/fascist country such as Australia, the police can apply for a 3LA order, which requires you to hand over your computer passwords, encryption keys, and anything they feel that would help them with their investigation, or you can be charged with a crime, which the maximum prison term is 2 years. -- This includes SSH keys to foreign servers.


If you're a political activist, the access of your sensitive data is 100% unacceptable.
Arguably, forcing somebody to hand over encryption keys is undemocratic, and is comparable to the acts of the Stasi.

Tuesday, 5 August 2014

Paypal Complete 2-Factor Authentication(2FA) Bypass Exploit.



Update: It has been patched on the 12th of August. "Surprise?"




[Revision; 6th of August, 2014]
To make it clear: The Paypal account you were 'hacking' did NOT have to be affiliated with the eBay account you were using. In my original tests, I had made a new eBay account using a temporary email, and had gotten into my Paypal through the same method.

It works even without an eBay account, actually.

https://www.paypal.com/cgi-bin/webscr?cmd=_integrated-registration&key=0&stamp=1364194631&data=JGHnP2g2ybqbgKfR7%2B1loOlg24LvI/VppQIqFE8DyTO9hqc1x1pQw42CCLy3EdEogm85LYOTKtU2wYNfjFZvuHSx4PjAHLVtlv6sYdPl2FIBLN7BNr3l%2BPe0WPeDhopUWqhw0PYE9EAyZPkgIZWJgWKGGGNPqdQRjlbNGoCCIox7RLfKmtEDeH8KXEOzZDSmvETO%2B7fkoy06CLe9CkJhE0V8Mh9QN/wNYIF6WMFgHsze7RAS8Qe3j/U9I9zYXDPcfB2L5AVCYI53jcWUOxeKXSlcoV0eIcxkLOkLfmSqnaY9vywEQEhEU2PYoKSqefaZBPFh6Y7kWXVD/7id8PvkrJzKaCUq0nhBRfFGtf1kYrK0ZgX%2Byws4HmiTn4GEL/gaUPtpWviP4BCJmeGOhzQEhbFNYwzuzmOWAaqYfsa62DsAcq3LUy1DyAmBfsLhwzRyzZhKlg1NRz5MxTsuBqlh72W6ytc1gEMwh%2BJtBxZTf7EggIaTRLdpjXMlZmwRjkMH2BjX8P4968XicykzmLhTpqpg507flV%2Belq3QNBd9cAliSskS3n/%2Bd1os7FQBnogr4tZ7srcTkoPM5nezXqz3caE/loqoJnkWvlRYfNJpSSysjQ%2BThTgiwNtk4eh8X2r3LhepLD27KdM7I299%2BnWVF9veVjw625ZT%2B3MyQMiO7FbMJdng5baW%2BZIRFIear2GlEJVXMlftP3ibMJAmzGrnKqB0sPwY3augnaBNnz4u32QAaxg8zhvz5FEaELdpFxJ4ptLdRc2MFUBFkUDm%2B5tlpuNl9JzgKTDQnXzYxX/2KYAznivHTlsCcwH68kL6EqoiGGTsFoLzp8TqnLvizULu6tdfnTAhhxV6kCeRRoyN/a62wahvxDibJgTnTjp4d3/xm4nhkQhQ5/xUgtAN9T1aa7n5PinOWS84AOFR0TB3KpwHsQkoQCGXvzdYZh4wD8ECQzYS9lbpaCLm13GqPGK4xC6K2vat8/gt9uoiJbiy77SK2PcMhcRS3KbK9Z0HtDCl&ev=1.0&locale=en_US


--




This blog is an excerpt from my blog entry, "Paypal's 2-FActor Authentication(2FA): The Good, The Bad, And The Ugly", in which I detail the use[fulness] of Paypal's 2Factor system.

On the 5th of June, 2014, I found a complete bypass for Paypal's 2FA service, in which anybody would be able to access a Paypal account that has 2FA setup, by only logging in through a "special" Paypal page.




Saturday, 5 July 2014

PTV; The police, and the aftermath.

For backstory regarding the PTV story, the following articles should be read:

(Sydney Morning Herald) Schoolboy hacks Public Transport Victoria website - PTV #1
(Wired) Teen Reported to Police After Finding Security Hole in Website - PTV #2
(ABC) Melbourne schoolboy exposes security flaw in Public Transport Victoria's website - PTV #3


This blog entry is more a "diary" of what happened after the story broke.

Originally, I found the bug on the 26th of December, 2013, and around 2AM.
I reported the bug at around 3AM to around 30 company emails.

On the 6th of January, 2014, the original reporter(Adam Carey) was contacted by PTV, and was told that PTV had contacted the police(this was assumed that, if he didn't publish the story, they wouldn't contact the police; but this is unknown)

On the 7th of January, 2014, the story was run in The Age(Fairfax) newspaper.




On Thursday, the 8th of May, 2014, at 8:15AM, 6-8 fully armed police officers showed up at my place of residence(my house). Three of them were e-crime. 

A warrant was served to me, and two e-crime officers went into my room and started to catalogue my electronic belongings, and then seal them for evidence.

Two of the other(non e-crime) officers sat me down, and started asking me general questions, such as how I was, etc. I commented to them how I had been warned around a week earlier that a search warrant may have been approved by the court, and would subsequently executed(I have a contact). They were definitely stunned, but we didn't speak of it other than that.

Interestingly, the day before, I was given information by somebody else in regard to somebody that was going to team-kill me at the end of a game. i.e; contacts are good.

Friday, 27 June 2014

Paypal's 2-Factor-Authentication(2FA): The Good, The Bad, And The Ugly. (Incl. full 2FA bypass without security questions)

Introduction

Paypal, like many other services, offer 2-Factor-Authentication in an attempt to strengthen the security of users' accounts. As noted on Paypal's website, "The security key gives you an extra layer of security when you log in to your PayPal account. It creates random security codes to use along with your regular username and password."

Paypal provides two ways of using this service; through a one-time code sent as an SMS to your mobile phone, or through a physical, creditcard sized code generator.(Or optionally, a VeriSign ID Protection key, which you can set-up on your phone for free here.)

An example of Paypal's security-card

Paypal's implementation of 2FA has been heavily scrutinized[1] again[2] and again[3] due to the lack of apparent security surrounding it. They allow security questions to be used to bypass the blockade of not having access to your 2FA device, and sometimes even when you do have access to your device, the code just doesn't work.


In this article, I'll be detailing "The good, the bad, and the ugly" of Paypal's 2FA programme. This includes what works, how it works, how it doesn't work, and security implications(full disclosure: there is/was a complete bypass for the 2FA without security questions.)


Personally, I use the SMS version of Paypal's 2FA, thus I can only directly comment on that. Nonetheless, I'll reference a few articles in regard to their creditcard sized number generator, and the VeriSign key generator.



Tuesday, 10 June 2014

Securing Ubuntu-Desktop From the Bad-Guys, and the Good-Guys.

Securing your Ubuntu Desktop OS from intruders

Recently I have become interested in securing my laptop from predators such as hackers, thieves, and law enforcement.
To do this, I've explored various programs to run; and how to run them, without interrupting usability by the average user.

In this blog we'll be running through vectors of attacks that one could use to gain access to your unencrypted data.


Before starting, the following must be known:

1. The author of this article is currently running Ubuntu 14.04 LTS(Trusty), and all commands and patches work on it for the author. The author accepts no liability when it comes to these commands/patches being run by other users; this is purely informational.
2. It is assumed Full-Disk-Encryption is being used.
3. It is assumed your $HOME directory is encrypted using ecryptfs, with filenames encrypted. This can be checked using the command `ecryptfs-verify -h -e'
4. It is assumed you do not have the evil program called Java, or any of its counterparts like IcedTea, etc. installed.


When you're told to run the program 'Nano', you can use vim,vi,emacs, etc. Nano is purely the text editor that I use. To exit out of Nano, you press control-x.



Monday, 26 May 2014

Facebook "Skype-to-Email" leak [$3,000 Bounty]

Facebook Bug Bounty

 

 

 In the middle of January of 2014, I submitted a bug to Facebook through its bug bounty program.



The bug was effectively a Skype account email disclosure. You would find somebodies Skype name, add them on Skype(they didn't have to accept you), and then login to Facebook with your Skype.



Here's a look at how it worked exactly:



In Facebook's "Find Friends" feature, you can login to your Yahoo,Outlook,Skype, and other accounts to add people into your contacts list on facebook(and then in turn add them, I guess).

The feature in question

By logging into your skype account on the feature, and pressing "Find Friends", you were submitted to the next page.

Sunday, 25 May 2014

SQL Injection on eBay.com.au subdomain / eBay.de, eBay.fr subdomains

eBay



Whilst looking for some bugs in ebay.com and ebay.com.au, I came across the domain http://3.ebay.com.au/. It appears to be a domain for phone users on the old "Three" phone carrier/network, but I'm unsure. Three was bought out by Vodafone awhile ago.

The website is the exact same as http://imode.ebay.de/, http://imode.ebay.fr/, etc.
The database itself was most likely part of http:// ebay.com/, too.


On the third tab of the page, there's a link to the 'Categories' section. -- If anybody has ever used eBay before, they would understand what this is; a list of categories as to where you can view items to buy.(Or in this case, go into a sub-category.)

Instinctively, I saw that there were a few $_GET parameters being used, so I just put a simple apostrophe into the end of the first parameter, "emv_CatParent".
To my amazement, it came back with a half-completed page. -- Pretty much the poster-child of a blind SQL Injection.

Friday, 23 May 2014

BCrypt for PHP

(This was originally posted in 2012, so numbers may be incorrect per current hardware)

What is BCrypt, and why should you care about it?



BCrypt is a hashing algorithm based upon the BlowFish cipher. Not to be confused with the fish, the BlowFish cipher originally created in 1993 by Bruce Schneier, and is still one of the best encryption methods currently available, in my opinion.


BCrypt is currently implemented in the crypt() function in PHP >5.3.7. It is implemented in previous versions, but a bug was found that affected the previous versions of PHP.

Here is an example of using BCrypt:

function hash_pwd_bcrypt($password, $salt) {
$cost = 15; // must be in range 04 – 31

// The salt can only contain the characters “./0-9A-Za-z” and the length must be > 2, so the input gets md5ed
return crypt($password, ‘$2y$’ . sprintf(‘%02d’, $cost) . ‘$’. md5($salt) . ‘$’);
}
I recently created a thread on vBulletin.org regarding BCrypt password hashing integration into vBulletin. The thread can be found here – http://www.vbulletin.org/forum/showthread.php?p=2369367



Why shared hosting is nearly NEVER the way to go.


(This was originally posted on October 17, 2012)

Shared Hosted

To most security-oriented people, the use of shared hosting is a big no-no when it comes to businesses with an online presence.
When it comes to normal, every-day companies without a team dedicated to security, things can be overlooked, or just completely unknown.

Bewilderment of shared hosting


What exactly is shared hosting?
Shared hosting usually consists of a dedicated server, and a lot of FTP accounts/users.
Every ‘user’ of the shared hosting gets there own account on the server, and access to a small portion of the resources.

Much like a share house, you basically get a room for yourself, and share the cost with other tenants the cost of resources(food,power,etc).


 Insecurity


Why is it insecure?

Well, as previously stated, shared hosting is much like an share house. You share the whole house with other tenants, and you all get a room for yourself.

In the sense of security; You have to trust all of the other tenants to 1) not steal anything, and 2) not lose their access, so somebody else can steal from them, AND you.

It wouldn't matter how secure your website is if another website hosted on the same server as yours isn't -- A hacker could gain access to another website on the server, and easily access the files on your website.


Another possibility is that an attacker could use an exploit to gain 'root'(admin) access to the server, and be able to control everything.
They would be able to delete your files, and upload malware to be distributed to your viewers/clients, ruining your reputation, and possibly ruining your business.

Example


Let's try out the domain belfastboatclub.com". By going to the website: http://www.yougetsignal.com/tools/web-sites-on-web-server/ , and entering 'belfastboatclub.com', we are presented with a list of 479 websites that share the same server with the Belfast Boatclub.

If a single one of those websites are vulnerable to hacking, that means belfastboatclub.com is too.



Conclusion

Not using shared hosting is very easy. By renting a VPS, which although is 'technically' shared, removes most of the risks associated with shared hosting, and potentially could be cheaper.

Why save $50 a year from not using a VPS, but potentially ruining your whole business?

tl;dr: if you are a business that actually cares about your data, don’t use shared hosting. (Just because you have your own IP address does NOT mean that you are not on shared hosting.)

Initial Commit.. I mean post.

This is a test of Blogger.

Bold

 Minor heading

Heading

Heading

Subheading