simple security

A marketing guy tries to cold call an important executive of a particular company. As soon as the executive sees the un-recognized number, he lets the call goto the voicemail. If you were the marketing guy, how would you social engineer your way to the executive?

Now as you know, phone numbers in a company are always assigned in a particular series. I'd call up one of the other number in the series (not the executive's number). My conversation would go on something like this:

Bob: (who picked up the phone): Hi, this is Bob.
Me: Bob? (acting surprised). Oh, seems that I have reached the wrong number. I am a friend of <enter executive's name> and was trying to reach him. Could you do me a favor and transfer me over to him?
Bob: Sure

Bob dials the extension of the executive to transfer the call. The executive sees an internal extension number on his phone and picks it up. Marketing guy connected to the executive. Now whether the marketing guy has the ability to hold onto the executive attention, is altogether a different story.

btw, if I was Bob (the guy who picked up the phone), I'd politely tell the other guy that I am transferring him to the receptionist. I'll let the receptionist do the 'background check' before deciding how to deal with the call.

Do you have an antivirus installed on your personal computer? Is it upto date with the latest patches/updates? Did you renew your free subscription to the antivirus that came along free with your PC?

I bet, over 50% of the average home users dont have a antivirus to protect them from all the evils lurking out there. Security is not the number one priority in their list (does it even make it to the list?). They think that somehow, someone is going to solve this problem for them. It is 2005 and unfortunately the security situation is going from bad to worse. It is imperative to atleast get a decent antivirus for your personal computer. Even with the firewall that comes along with Windows XP SP2, you need an antivirus.

Some popular antivirus programs from companies like Norton or McAfee cost around $25 - $40. For those who feel that they have blue blood and shouldnt be asked to pay for an antivirus, there is a way out. Download and install the opensource antivirus toolkit called ClamAV. Its free and it works like a champ. I have been using it for over a year now on my linux server. No issues whatsoever.

You can download the windows version here.

Be safe.

Expounding on what I had said earlier, if you setup a fake access point (AP) having the same SSID as that of the legitimate AP and transmit on the same channel as the original AP, you could potentially take over the user sessions. There is NO way to identify the legitimacy of an AP except for its SSID. This is true for AP's that dont use WEP (or some variant).

How difficult is it to find out the SSID of an AP? Well, most of the SSID's are by default setup in a broadcast mode. Anyone with a WiFi laptop can easily pick the SSID of an AP. For the more adventureous, there are programs like AirSnort that can sniff out the SSID of an AP, even if it is not set to broadcast mode.

Take the case of an airport. Airport cannot use WEP. Otherwise, they would have to go around telling everyone who wants to connect to their wireless network, what their WEP key is. This defeats the purpose of having a WEP key in the first place. Its equivalent of telling everyone your password. They normally setup a default page, that lets you either sign-in into your account, or lets you create one (with a credit card ofcourse). Now imagine, if someone sets up a fake sign-in/sign-up page and asks users for either their login/password or their credit cards.

Can you think about a remedy to this problem? Well, let me know through the comments of this entry.

Scenario #1
A hacker installs a fake access point near the real WiFi network. The hacker then sends a stronger RF signal basically disrupting the signal of the real access point. Users lose their connections to the legitimate AP and re-connect to the "evil twin", allowing the hacker to intercept all the traffic to that device.

Scenario #2
A hacker could easily setup a fake login page that mimics the one from the local coffee shop. (Ofcourse, the hacker has to be in vicinity of the coffee shop. Even probably sitting inside the shop enjoying coffee). New users wanting to connect to the coffee shop WiFi would accidently connect to the fake Wifi and give out their credit card details or their login and password.

These things are difficult (not impossible) to pull off in the wired world, because it requires physical access to the network.

When you connect to a WiFi access point (might be your corporate network, a public access point in a coffee shop or even your home network), how do you know it is really the one that you wanted to connect to in the first place? Thats one big hole in the WiFi technology.

Technorati Profile - ignore!

So a link shows up in your email, which looks like this:

http://www.some_banks_homepage.com%01%00@fake_site.com/scammer.html

where do you think you will go if you clicked on the above link? Although, I've made it obvious in the above URL, a lot of people would still say that it would goto "www.some_banks_homepage.com". If you said "fake_site.com", congratulate yourself because you have just passed the first lesson in recognizing the target destination by looking at a URL.

Normally when phishers and scamsters send out mass emails, they would include such links in their emails. The URL's are so long that only the first few characters of the URL appear in your email client (or browser). The "fake_site.com" part of the URL is way outside the visible area of your email client or browser, making it difficult for the average Joe to figure out where he is actually going to go after clicking on the link.

When I tried the above example in the Firefox browser, it alerted me that someone might be tricking me to goto the "fake_site.com". Microsoft's IE browser gave me a invalid sytax error! and didnt open the site. So the browser's have evolved to an extent to make this kind of spoofing difficult.

For those of you who are interested in knowing why would the browser take you (if at all) to the "fake_site.com" address:

If a site uses authentication (a challenge authentication protocol - http response status code 401), then you could pass along the username and password before hand through the URL itself. Eg. http://username:password@some_site.com/. Taking advantage of this feature, the above malicious URL uses the name of the trusted site "some_banks_homepage.com" as the username in the URL.

Next time, I'll discuss some other kinds of URL spoofing. Adios.

War dialing is a technique that uses software to dial hundreds of telephone numbers, hoping to connect to a modem that would act as an entry point into a corporate network.

Back in the old days, modems where kept connected to comupters for communication purposes. Sometimes a cracker (A person who breaks into a computer system without authorization) would find out one of the telephone numbers of a company. Telephone numbers are always alloted in blocks for corporations. Once a cracker found out a number, s/he would then start dialing hundreds of numbers both preceding and following that number in the hope of getting connected to a modem on one of the lines. Once the cracker is connected to a modem, s/he tries various password combinations (or even tries a brute force attack) to get into the network.

These days, almost all of the corporations use hi-speed connectivity (DSL, Cable etc). War dialing has been replaced with war driving attacks. War driving is a technique that uses a wifi enabled laptop or a PDA to sniff wifi networks (preferrably corporate). Even crackers need to keep up with the changing times.

Sometimes while traveling, you come across a hotel network or a Wifi spot that has a restrictive firewall that only allows HTTP traffic to flow through. What if you wanted to check company email through IMAP/POP3 service? Are you stuck on an HTTP island? Well, no. Luckily there is a workaround.

httptunnel (written by Lars Brinkhoff, license: GPL) creates a bi-directional virtual data connection, tunneled in HTTP requests. So basically, you could connect to any service you wanted, through this HTTP tunnel. The traffic flows right through the network's firewall unobtrusively, because its all HTTP traffic after all.

Have fun!

FTP (File Transfer Protocol) is widely used for transferring files to and from servers.

How FTP works: An FTP client connects to an FTP server (usually denoted by the ftp:// protocol), using a username and password. Once the user is connected, s/he can download or upload files depending upon the permissions set up by the server adminstrator.

Why is it insecure? Like its HTTP cousin, the FTP protocol also uses plain text to transfer data back and forth between the server and the client. All communication is done in clear text. Even the username and password that you type in to connect to the server is sent over the wire in plain text. NO encryption of ANY kind is used in the entire communication. If someone sniffs the ftp username and password, s/he could easily connect to the server and could potentially delete the files.

The solution: Use SFTP (Secure FTP). SFTP is a totally different beast than FTP. SFTP uses SSH as transport for all communciations between the client and the server. Now, because it uses SSH as a means of transport, the entire communication between the server and client is encrypted and totally secure. WinSCP is a great SFTP client that provides the same consistent user interface as other popular FTP clients.

Any system administrator worth his salt, should disable telnet and ftp for the servers they maintain. I strongly recommend using SSH logins only for terminal access as well as SFTP.

"Having an open directory on your system, is infact an open invitation to hack".

Let me explain. Last week, I was working on some UML stuff and wanted to try out an evaluation version of a top rated UML drawing software (I am not naming names, to protect the guilty). While waiting for the huge download to complete, I poked around their site to see what was going on behind the scenes. Once in a while, I'll do a view->source on a site to see whats going on behind the scenes. Sometimes, I'll add or remove parts of a URL just to see how well does a site handle broken URLs.

Anyways, on this site I discovered that they had not turned off directory listing and infact everything in that particular directory was directly visible to me. Next, I did a view source and tried to find out the directory structure of their site (things like images directory etc). The /images/ directory was open and so was the /php/ directory. Upon going to the /php/ directory, I saw that there were certain /php/blah-blah.php.bak files. Now the million dollar thing to notice here, is that the .php files are executed and only the content is served. But, if a file has a different extension, the source code is sent out by the webserver. The file is not executed. I downloaded the php (backedup version) files and saw that it contained a lot of sensitive data (like SQL queries which reveal the database structure, database username, password etc).

Do you realize, how having an open directory on a site could lead to one knowing about the database information? Thats why it is important to get your act together and disable directory listing for websites.

(For those of you who are curious, I am currently working with the management of that company to close the security holes on their site. Also, as a reward for my efforts, they gave me a free copy of the enterprise edition (worth $1600) of their software for my personal use. Woohoo!)

I ran into this site called Try2Hack. The site has various levels that you have to hack to move up the next one (ofcourse, playing by their rules).

I reached all the way upto level 5, upon which they wanted me to download a VB file to proceed. I didnt go any further, because I would have needed the VB editor to hack into that file.

Do check it out! Let me know upto what level you reached via comments on this blog.

This blog (besides a host of other things) is hosted on a server that I own and manage. Now time and again, I see various script kiddies or even crackers attempting to gain their way into my box. Some of them will try to exploit windows IIS exploits (hey script kiddie.. if you do some OS fingerprinting, you'll know upfront that this is a linux box). Some crakers try and brute force username/password combinations. Some even dare to try to pretend to be 'root' user. Sheesh!

Normally, I do keep a pulse on the various aspects (security and otherwise) of my server, but ignore stupid script kiddie stuff. Since the past few weeks, a script kiddie (I'll write about script kiddies in one of my future posts) was almost trying to get into my system on a daily basis. I ignored him/her for a few days and then it got onto my nerves.

I found out that the guy was running a mail server on his/her box. I connected to the mail server on port 25 (SMTP) and poked around looking for a way to send a message to the box owner. Finally I left a nasty mail on the root@localhost asking him/her to stop mucking around with my system. That did the trick. No more attacks from that host atleast. That was my way of getting back at the script kiddie.