Adobe user database leak

While the media has been talking abuzz about Adobe data leak, the figure is staggering 153.9 million user ids.

To be exact, the number is : 153,989,523 email addresses! That’s right! it is ~154 Million user ids!

Think of a spammer who can get hold of such data? Though nothing much can be done about the exposed emails, it is advised to change the password of the Adobe ids to something more secure and not used across any of the sites.

If one has been using the same password (which most do! :( ) across multiple sites, it is strongly advised to change the password as soon as possible because it is only a matter of time that the Adobe’ encryption keys are hacked. Though for a security researcher, it would be an apple for analyzing all the passwords, but even without the encryption key, using the password hint, a list of top used passwords (really crappy list which has been advised for ages to forgo.) which still brings the quirks of security.

Humans are inevitably the weakest, weakest link in the security chain. Be whatever the system, cryptography, perimeter security, application security, host security and what not, if one use a crappy, easy to use password, it is matter of nanoseconds before everything gets compromised. We (collectively) for some reason, cannot or do not want to follow the advice of using some common passwords. Be it laziness or because of the importance of target system, but tend to follow a similar pattern for secure and protected, high sensitive system because when a habit is formed, it becomes routine and human mind gets accustomed to it!

After all we are humans. With different ethnicity, language, culture and relationships, but united in the cause of using crappy passwords! When will we learn? I am strongly saying the day will never come. Believe me, in the case of my entire security career which has spanned across two decades, I have seen the same passwords even followed by various device manufacturers, application makers, using as at the default root level / admin level accounts, hoping we the humans will change it after we start using (which we don’t).

The internet is spewed with articles, suggestions, algorithms, advices on choosing a strong password and yet we fail again and again and forever!

Will the world change and by when? Answers is: in 123456 years probably!

Do not trust Chinese routers, especially D-LINK – As they contain backdoor!

A group of researchers found a backdoor in a set of D-LINK routers. Well, not a news but expected and good to be uncovered. Does it call for a deeper inspection of other brand routers? Better of with the open firmware like DD-WRT or OpenWRT or TOMATO! At least you know what you are loading on to the device.

The discovered backdoor can bypass the authentication step and land directly to the admin interface!

Pretty nifty isn’t? That’s what a backdoor is for.

Method to access: Just change the User Agent string of your browser to “xmlset_roodkcableoj28840ybtide” which is actually a reverse of “editby04882joelbackdoor_teslmx”.

Nice huh?

“edit by 04882 joel backdoor _teslmx”

One of the very few backdoors which actually spelt backdoor! :)

How to change the User Agent? It is very simple for non-IE browsers. Check in the configuration settings for Agent by typing about:config in the address bar.

If there is an option, you could change it and restart the browser for the new string to take effect. To check if it changes, use Netcat, start a listener on the local interface using “nc –vvns 127.0.0.1 –Lp 888” at the DOS prompt and type “http://localhost:888” and you can see the request on the command prompt window. You can check the User Agent string value and see if it has been changed according to the above setting.

Else check for some plug-in which can be used to change the User Agent string of the browser to what you want text!

More info about the backdoor and affected devices from http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/

More and more of such news is actually taking away the trust on device manufacturer whether they are Chinese or not!

Well, like wise Intel who have a embedded SIM enabled on the processor for remote access, software manufacturers having hidden backdoors, etc,.

It is nice to see some researchers burning mid night oil to uncover snake oil products (what else to call ‘em?) and legitimate products which such nonsensical backdoors. But when it comes to hardware it is pretty much out of reach for any one to have a look at it to understand what it does when a specially crafter instruction / packet or a command is sent. It is actually scary to know what lies between the multi layered PCBs and components and what they are capable of. One could still argue, being a layman we might not have to worry about such things because of the information value we hold, but think about a top secret facility or a government or some one having a high value research data, it is pretty scary on what to trust. Ultimately, mate, anything electrical / electronical should not be trusted. No matter if it is a connected or disconnected device, powered on or in off state. Just don’t trust it!

I may be paranoid, but it goes with the saying of you know who:

“A computer switched off, unplugged, buried under ground in an unknown location on earth cannot remain safe! Then how our devices can be???”

And I don’t want to open another can of worms with the recent PRISM happenings as some things are better left not discussed. Beware!! it is not being promiscuous!! But just like that! Many more to go before the EOW!

Password creation – Tips and Myths

Not all use complex password. Us humans tend to use simple (read very simple) words for passwords (such as password) for most non critical logins, gets deep into our system of using passwords and becomes a habit (which is pretty hard to break). This causes lots of unwanted issues when the third party system (which obviously we trust) leaks the passwords or the hashes (any type. Strength is not a problem). Some advocates state that a hashing should be used with a salt, but does not really improve the security if the database gets compromised and the salt values are known to attacker.

Most of the common password cracking aka brute forcing tools has an option to specify the salt to check. It really does not improve any security if the user uses “password” as the password. The top passwords list is tried first to crack the so obvious accounts within seconds and a larger dictionary is employed for the rest. With the advent of CUDA / OpenCL the time to brute has reduced leaps and bounds. I have written a password cracker in CUDA which can crack some hashes like NTLM at a whopping hashes per second. Though it is used only for private use, I am sure more such tools like HashCat / oclHashCat which are available freely can be employed by any one who has a decent hardware or it can be rented from the cloud.

What really secures the password? Okay. Do not say the answer is the Google Ring! I will not use it! Instead the following might be of some help. Though I might not be the expert (disclaimer!!!), I have been following what I am going to preach.

Not all passwords with special characters are safe if it is less than 14 characters. Common, a 14 character key space is not strong enough even if it employs special characters. Believe me, there are only a few special characters which most people use! :D. Armed with a little background on the frequency analysis, the keyspace gets drastically reduced lowering the security of the so called complex password.

A simple method of using longer, totally unrelated (but meaningful to you) sentences make a very good password. And it exceeds the common character limitation which you will find in a normal complex password. Multiply that by the number of sites for which you have use a unique password, only a tool like LastPass can offer some help! Even a sentence like “Attendingevening.school” can be a good password which is not forgotten, can be typed easily and offers a pretty decent security. Also, typing such passwords on to the mobile device is very easy! believe me!

Also always check out the password’s strength using some online tool like PasswordMeter!

Placing a random dot between words makes a lot of sense and improves the security. Really you don’t have to worry above the bla bla bla password policies and will still conform to most of the commonly used policies (Unless you are in a super special sterile environment!). I hope it makes a difference!

Be sure to checkout the Password Info graphic from ZoneAlarm! A pretty interesting read too on what not to use!

Diving into windows registry for forensic data

As a forensic examiner, looking at a cloned system for possible timestamps of a drive-by-download attack, windows registry has some small foot holes to gather evidence (real or not). Atleast, will surely give an idea about how, when the attack has happened. Trusting the system time was intact and all the sole purpose for this exercise was to learn, having a look at registry keys armed with some freeware tools provide some data. Correlation plays a key role in identifying how and when the devices were connected to the system.

Freeware tools used to achieve the above are:
USB Device Viewer - A tool which provides a complete history of all removable devices connected to a Windows based host.
http://www.nirsoft.net/utils/usbdeview.zip

Direct Registry Browser from
http://www.sysdevsoftware.com/soft/dreg.php which can be used to browse the registry in case of offline image based forensic analysis.

Registry Browser from SoftSpot Software.
http://www.softspotsoftware.com/pages/downloads/RegBrowser.zip which can be used to view the timestamps on the registry key. There is a Nirsoft tool to view the same, but I prefer using this software.

And lastly, the infamous ProcMon from Microsoft Sysinternals Lab.
The latest version can be downloaded from http://live.sysinternals.com/Procmon.exe
It can used to get knowledge about the registry keys being accessed during the use of the above tools.
Tip: Set a filter on the process names to reduce the output while using the above tools.

The rest is left as an exercise to the readers (??!!!) as how find out the usb devices connection time and et all!

Happy forensics!

Installing IE8 without the usual update process, scanning and et all!

I recently had a requirement where I had to test an application in Internet Explorer 8, but the rig had only Windows XP SP2 with IE6. When tried installing IE8 using the official installation, it was prompting to install a bunch of updates, malware scanning and was taking forever. Thought for a moment and tried the following steps which worked:

• Downloaded the IE8 installation from Microsoft.com
• Used the Universal Extracter and extracted the IE8 installer executable to a directory
• Copied the complete extracted directory to a thumbdrive and moved it to the testing rig
• Executed the iesetup.exe inside the update directory

Double clicked on the iesetup.exe and voila! Internet Explorer Installation screen greeted with the usual update option. Neglected the warning, options and clicked on install Internet Explorer 8.

After a few minutes, the system requested a reboot and IE8 was up and running.

 

While I was happy to have the system updated with IE8, it is definitely not recommended unless one knows what he/she are doing. Please read the above procedural steps with standard disclaimer and warning!
It might cause system instability / security issues will still be open and is not recommended at all. This post for documentation purposes only and to have an artifact that it can done!

If you require help in locating universal extractor, try  http://legroom.net/software/uniextract and it is free. Please scan the files if you download from any other sources.

IE8's official links are:
Windows XP (32 Bit): http://download.microsoft.com/download/C/C/0/CC0BD555-33DD-411E-936B-73AC6F95AE11/IE8-WindowsXP-x86-ENU.exe
Windows XP (64 Bit) : http://download.microsoft.com/download/7/5/4/754D6601-662D-4E39-9788-6F90D8E5C097/IE8-WindowsServer2003-x64-ENU.exe
Windows Vista (32 Bit): http://download.microsoft.com/download/F/8/8/F88F09A2-A315-44C0-848E-48476A9E1577/IE8-WindowsVista-x86-ENU.exe
Windows Vista (64 Bit) : http://download.microsoft.com/download/D/C/F/DCF5DACB-313F-40C6-889C-AD1F8546099D/IE8-WindowsVista-x64-ENU.exe
Windows Server 2003 (32 Bit) : http://download.microsoft.com/download/7/5/0/7507EBD5-0193-4B7F-9F14-9014C7EB5C67/IE8-WindowsServer2003-x86-ENU.exe
Windows Server 2003 (64 Bit) : http://download.microsoft.com/download/7/5/4/754D6601-662D-4E39-9788-6F90D8E5C097/IE8-WindowsServer2003-x64-ENU.exe
Windows Server 2008 (32 Bit) : http://download.microsoft.com/download/F/8/8/F88F09A2-A315-44C0-848E-48476A9E1577/IE8-WindowsVista-x86-ENU.exe
Windows Server 2008 (64 Bit) : http://download.microsoft.com/download/D/C/F/DCF5DACB-313F-40C6-889C-AD1F8546099D/IE8-WindowsVista-x64-ENU.exe

Happy days!

Truecrypt 7.0 gets Hardware Acceleration and more

Truecrypt - The free open source encryption tool which gives many commercial encryption tool providers to run for their money has once again proved it's worthiness! Just released Version 7.0 has got some really commendable features such as Hardware-accelerated AES, Auto Mounting of the encrypted volumes and partition/device-hosted volumes to utilise different sectors sizes. Though hardware-accelerated AES is currently applicable only for Intel Core i5 and Intel Core i7 processors, it is worthwhile to enable it because it provides up to 4-8 times faster performance compared to the normal open source version of the AES implementation.
It uses the embedded AES-NI (aka "AES New Instructions") instruction set for performing the crypto operations, but it is clear that the key generation does not use the AES-NI Instructions. (Thank god! :))
Check out more from http://www.truecrypt.org/
Use this amazing tool to safe guard your data be it confidential or not! You'll agree with me if you have the habit of carrying your portable Operating systems, Tools sets, Working data and Documents on multiple USB thumb drives wherever you go/roam! :)

Netsparker provides Free Web Application Vulnerability Scanner! No strings attached!!

While companies charge a hefty amount for web vulnerability scanners, Netsparker has made a difference by offering one of the best vulnerability scanner for free! (Free as in Free Beer! :)) No strings attached. The community edition of Netsparker Web Application vulnerability scanner is available for download. The community version too boasts the unique features of the commercial edition which includes False Positive Free, Javascript / AJAX / Web 2.0 support, SQL Injection, Cross Site Scripting.

It can be downloaded from: http://www.mavitunasecurity.com/communityedition/download/ site.