It appears that Google can be used to find Citrix gateways, which are often unsecured - allowing a hacker to get a command prompt on the servers. This article explains how, and includes a video showing how to get a command prompt from the calculator application - it’s scarily easy…
Update: The video has been removed by YouTube.
This is the kind of software that can save lives. Well maybe not lives, but it can certainly save a lot of stress when you can’t remember your password to that FTP site, which is saved but now you need to use it on a new machine or provide it to someone else. Basically Snadboy’s Revelation (which also happens to have the best name for an app that I’ve seen this year!) reveals those passwords that are obfiscated by using something like asterisks - depending on the operating system. This is defiantely the kind of software we’ve all looked for in the past but find too numerous shareware applications that we get scared off by the thought of most of them loading our machines with nasty malware. I’ve checked this one out and it appears to be one of the good ones.
Of course there are also evil reasons to want to see passwords that are otherwise hidden, but I trust you.
Not that I understand this article fully, but it’s interesting to see how quickly the iPhone has been hacked - and especially interesting how easy it may be to turn the gadget into a perfect spy device. In other Apple news, my flatmate has ordered the iPod Touch so I’ll get to have a play with one soon!
If a cracker has physical access to your router then they can probably reset it to default factory settings (this is often just a case of holding down a button for a few seconds). Alternatively you may not have changed the default settings, the most important of which is the administrator password. If this is a wifi router that isn’t secured then someone within the radius of the wifi can be issued a network address, and access the router configuration and from here can take control of your network. This website has a comprehensive list of default usernames and passwords for routers, which shows how easy it is to get hold of these details. I have checked, and sure enough my router is in there and they’ve got the defaults correct. My advice is to always change these settings to something you will remember, and be aware of anybody with physical access to your router.
I’ve been reading a few of SecurityMonkey’s case files at ITToolBox recently, and can highly recommend them if you’re interested in security. SM uses real life cases that he has been involved in as an Information Security Advisor, and changes the names involved (and probably adds a few flourishes to make it a more entertaining read). See the full list of the case files here.
They’re particularly great because they describe the process of forensics and are peppered with tips of software and hardware to use in certain situations but without feeling like an endorsement. I hope to read all of the cases, but of the ones I’ve read I can particularly recommend the Case of the arrogant eBayer and the Case of the ethical executives.
One warning though is that the pages seem to take forever to load for me so I usually cancel the page loading once the text is visible.
According this article on the BBC News website, hacking toolkits are being packaged by ‘malicious hackers’ and sold to ‘fledgling cyber theives’. The danger here is not that these tools are more available (they’re all easy to find) but that those using them may not understand the consequences or even how to operate the tools properly.
I haven’t seen these toolkits myself but I know where I can get hold of various security and penetration testing tools, many of which actually cost nothing but have a steep learning curve in order to use. These tools should be used to learn more about securing your own network, and identifying vulnerable systems. With these skills you will be essential to any company as an ethical hacker (a good guy). The pay is excellent and you should get the same buzz you would if you were a cracker (a bad guy).
Remember, the good guy always wins.
Security Monkey over at ITtoolbox has posted about an eBay phishing scam that will strike paranoia into the hearts of bidders. The item in question was listed with a picture of a topless model, which would increase the chances of it being clicked on. The seller then included some Flash in the listing that redirected the user to their own web page, which funnily enough looks just like the eBay log on form.
As Security Monkey points more and more users open links in a new tab, and this hack actually takes advantage of the page not being immediately displayed. An eBay item that flashes up with a description and then immediately disappears only to be replaced with a log on form would be suspicious to most security conscious people.
After my post the other day about SQL injection I found the Might Seek website’s podcast for hands-on SQL Injection, which guides you through the process many hackers will take to gain information about users and ultimately get admin access to a website. A unique aspect to about this tutorial is that the author has set up a website that he invites you to hack whilst you listen.
He’s also compiled a great list of web application hacking tools.
It appears that the UN has joined the list of sites vulnerable to SQL injection. According to this entry on Slashdot the technique was used to replace speeches of Secretary-General Ban Ki-Moon with the cracker’s own pacifist message.
I have never used SQL injection to gain access to a site or system, but I am familiar with SQL so I decided to see if I could find a site that may be vulnerable. In the process I discovered exactly how easy it is to perform an attack.
Using the Errata Security’s recent entry about SQL injection, I was able to find two sites (in addition to the ones mentioned) within minutes that could be potential targets. After a bit of exploration I had learnt enough, and my advice to any website owner is to protect yourself from these attacks - especially if you run databases containing personal details! It’s not difficult to defend against SQL injection so it’s surprising that so many sites are sitting ducks.
For more reading I recommend Steve Friedl’s SQL Injection Attacks by Example.
In yesterday’s entry I mentioned the GMail hack that was demonstrated at the Black Hat 2007 conference. After reading into it some more I can across the concept of ‘data seepage’ coined by the guys behind Errata Security. This is different to ‘leakage’ in that the average user is not trying to protect the data that their machine is gleefully broadcasting to any listening NIC. Robert Graham has written an application called Ferret, which sniffs a network for broadcast packets. Graham lists some examples of the type of thing you may not be aware that your computer tells the network: “a list of WiFi access-points you’ve got cached on your computer, the previous IP address you used (requested by DHCP), your NetBIOS name, your login ID, and a list of servers (via NetBIOS request) you want connections to”.
I downloaded Ferret 1.0 and although I’m not using a wireless connection, it didn’t take long to see several workstations and laptops appear in the output along with their Windows versions and sometimes the owners name in the comments. It wouldn’t take long to enumerate a profile for the office and know the names of several laptop users (probably with wireless enabled). This could be an important first step in social engineering - “Hi Bill, this is Jim from IT. Can you confirm you’re the user of laptop XXXX? Excellent, could you install this upgrade to your accounts software?”
There’s no viewer for the Ferret data yet, but I believe this will appear on Errata’s site soon along with the Hamster software also demonstrated at Black Hat. Hamster allows point-and-click spoofing of cookies via a web interface.
Incidentally, to secure yourself against the GMail cookie sniffing when on a wireless network make sure you access your mail using https://www.gmail.com/ (note the s in https - this is for secure and means all traffic is encrypted).
Check out Errata Security’s blog for latest news of Ferret and Hamster.