The Dark Arts: SQL Injection And Secure Passwords

March 9, 2016 by Will Sweatman 41 Comments

As the year of 2005 was drawing to a close, a website known as Myspace was basking in popularity. With millions of users, the site was the most popular social networking site in the world. It was unique in that it let users use HTML code to customize their Myspace page. Most of us, c’mon…admit it….had a Myspace page. The coding part was fun! But not everything was changeable with code. You could only upload up to 12 images and the Relationship Status drop-down menu only had a few options to choose from. These limitations did not sit well with [Samy Kamkar], a 19 year old hacker out of Los Angeles.

It didn’t take [Samy] long to figure out how to trick the site to let him upload more images and change his relationship status to a customized “in a hot relationship”. After hoodwinking the Myspace site with some simple hacks, he realized he could do just about anything he wanted to with it. And this is where things get interesting. It took just over a week to develop a script that would force people who visited his page to add him as a friend. But that wasn’t enough. He then programmed the script to copy itself onto the visitor’s page. [Samy] had developed a self-propagating worm.

The script went live as [Samy] went to bed. He woke up the next morning with 200 friends requests. An hour later the number had doubled. [Samy] got worried and sent an anonymous email to the webmaster warning of the worm. It was ignored. By 1:30PM that day, he had over 6,000 friends request. And like any good hacker worth his weight in floppy drives, his sense of humor had him program the script to also add his name to each visitor’s Heroes List. This angered many people, who deleted him from their page, only to get reinfected moments later when they visited another (infected) page.

[Samy’s] script was raging out of control. As the evening closed in, his friends count had reached 919,664. It would top the 1 million mark just before Myspace took their servers offline to figure out what was going on. Two hours later, the site was back up. [Samy’s] profile page had been deleted.

[Samy] had used a technique known as cross-site scripting (XSS) to pull off his hack. We’ll touch on XSS in a later article. For now, we’re going to stick to the basics – proper passwords and SQL Injection.

Continue reading “The Dark Arts: SQL Injection And Secure Passwords” →

Password Extraction Via Front Doorbell

February 28, 2016 by Elliot Williams 52 Comments

Not a day goes by without another IoT security hack. If you’re wondering why you don’t want your front doorbell connected to the Internet, this hack should convince you.

The hack is unfathomably stupid. You press the button on the back of the unit that pairs the doorbell with your home WiFi network, and it transmits the password in the clear. Sigh. It’s since been fixed, and we suppose that’s a good thing, but we can’t resist thinking for a moment about an alternative implementation.

Imagine, like all previous non-IoT wireless doorbells, that the doorbell transmitted a not-very coded signal over an open frequency like 433 MHz to a receiver inside your home. Do the same with the video stream. Now the receiver can be connected to the Internet, and can be significantly more secure because it’s behind your locked front door. The attack surface presented to the outside world by the doorbell itself is small, and limited to faking a doorbell press or showing you pictures you don’t want to see. Yawn.

But because the outside doorbell unit could be connected to a network, it was. Now the attack surface extends into your home’s network, and if you’re like most people, the WiFi router was your only real defense.

Now we love the IoT, in principle. There are tons of interesting applications that need the sort of bandwidth or remote availability that the Internet provides. We’re just not convinced yet that a doorbell, or a fridge for that matter, meet the criteria. But it does add a hundred bucks to the price tag, so that’s good, right? What do you think? When does the risk of IoT justify the reward?

Thanks [Dielectric] for the tip!

Breaking SimpliSafe Security Systems With Software Defined Radio

February 23, 2016 by Brian Benchoff 49 Comments

The SimpliSafe home security system is two basic components, a keyboard and a base station. Sensors such as smoke detectors, switches, and motion sensors can be added to this system, all without a wired installation. Yes, this security system is completely wireless. Yes, you can still buy a software defined radio for ten dollars. Yes, the device has both “simple” and “safe” in its name. We all know where this is going, right?

Last week, [Andrew Zonenberg] at IOActive published a security vulnerability for the SimpliSafe wireless home security system. As you would expect from an off-the-shelf, wireless, DIY security system, the keypad and base station use standard 433 MHz and 315 MHz ISM band transmitters and receivers. [Dr. Zonenberg]’s attack on the system didn’t use SDR; instead, test points on the transmitters were tapped and messages between the keypad and base station were received in cleartext. When the correct PIN is entered in the keypad, the base station replies with a ‘PIN entered’ packet. Replaying this packet with a 433 MHz transmitter will disable the security system.

[Michael Ossmann] took this one step further with a software defined radio. [Ossmann] used a HackRF One to monitor the transmissions from the keypad and turned to a cheap USB SDR dongle to capture packets. Replaying keypad transmissions were easy, but with a little bit more work new attacks can be found. The system can be commanded to enter test mode even when the system is armed bypassing notifications to the owner.

It’s a hilarious failure of wireless security, especially given the fact that this exploit can be performed by anyone with $100 in equipment. With a little more effort, an attacker can execute a PIN replay from a mile away. Sadly, failures of security of this magnitude are becoming increasingly common. There will assuredly be more attacks of this kind in the future, at least until hardware manufacturers start taking the security (of their security products) seriously.

Linux Mint Hacked Briefly – Bad ISOs, Compromised Forum

February 22, 2016 by Bob Baddeley 34 Comments

On February 20th, servers hosting the Linux Mint web site were compromised and the site was modified to point to a version of Mint with a backdoor installed. Very few people were impacted, fortunately; only those who downloaded Mint 17.3 Cinnamon on February 20th. The forum user database was also compromised.

What is most impressive here is not that Linux Mint was compromised, but the response and security measures that were already in place that prevented this from becoming a bigger problem. First, it was detected the same day that it was a problem, so the vulnerability only lasted less than a day. Second, it only affected downloads of a specific version, and only if they clicked a specific link, so anyone who was downloading from a direct HTTP request or a torrent is unaffected. Third, they were able to track down the names of three people in Bulgaria who are responsible for this hack.

As far as the forum compromise, the breech netted usernames, emails, and encrypted passwords, as well as personal information that forum users may have entered in signatures or private messages. It’s always nice to see when compromised sites are not storing passwords in plain text, though.

There is one security measure which should have protected against this and failed for a couple of reasons, and that’s the signature. Normally, the file download is accompanied by a signature which is generated from the file, like an MD5 or SHA checksum. By generating the checksum of the downloaded ISO file and comparing it to the reported signature on the web site, one can confirm that the file has downloaded correctly and that it is the same file. In this case anyone downloading the bad ISO should have caught that the downloaded file was not the official one because the signatures did not match. This can fail. Most people are too lazy to check (and there is no automated checking process). More importantly, because the attackers controlled the web site, they could change the site to report any signature they wanted, including the signature for the bad ISO file.

If you are affected by this, you should change your password on the forum and anywhere you use the same email/password. More importantly, as great as the verification signature is, shouldn’t there be a better way to verify so that people use it regularly and so that it can’t be compromised so easily?

GuardBunny Active RFID Protection Going Open Hardware

February 18, 2016 by Mike Szczys 33 Comments

There are two sides to every coin. Instead of swiping or using a chip reader with your credit card, some companies offer wireless cards that you hold up to a reader for just an instant. How convenient for you and for anyone who might what to read that data for their own use. The same goes for RFID enabled passports, and the now ubiquitous keycards used for door access at businesses and hotels. I’m sure you can opt-out of one of these credit cards, but Gerald in human resources isn’t going to issue you a metal key — you’re stuck hauling around that RFID card.

It is unlikely that someone surreptitiously reading your card will unlock your secrets. The contactless credit cards and the keylock cards are actually calculating a response based on a stored key pair. But you absolutely could be tracked by the unique IDs in your cards. Are you being logged when passing by an open reader? And other devices, like public transit cards, may have more information stored on them that could be harvested. It’s not entirely paranoid to want to silence these signals when you’re not using them.

One solution is to all of this is to protect your wallet from would-be RFID pirates. At this point all I’m sure everyone is thinking of a tin-foil card case. Sure, that might work unless the malicious reader is very powerful. But there’s a much more interesting way to protect against this: active RFID scrambling with a project called GuardBunny. It’s a card that you place next to whatever you want to protect. It’s not really RFID — I’ll get that in a moment — but is activated the same way and spews erroneous bits back at any card reader. Kristin Paget has been working on GuardBunny for several years now. As of late she’s had less time for active development, but is doing a great thing by letting version 1 out into the world for others to hack on. In her talk at Shmoocon 2016 she walked through the design, demonstrated its functionality, and shared some suggestions for further improvement.

Continue reading “GuardBunny Active RFID Protection Going Open Hardware” →

The Contrarian Response To Apple’s Need For Encryption

February 18, 2016 by Brian Benchoff 277 Comments

On December 2, 2015, [Syed Rizwan Farook] and [Tashfeen Malik] opened fire at a San Bernardino County Department of Public Health training event, killing 14 and injuring 22. This was the third deadliest mass shooting in the United States in recent memory, and began a large investigation by local, state, and federal agencies. One piece of evidence recovered by the FBI was an iPhone 5C belonging to one of the shooters. In the days and months after the shooting, the FBI turned to Apple to extract data from this phone.

A few days ago in an open letter to customers, [Tim Cook], CEO of Apple, stated they will not comply with FBI’s request to build a backdoor for the iPhone. While the issue at hand is extracting data from an iPhone recovered from the San Bernardino shooting, [Cook] says building a new version of iOS to extract this data would allow the FBI to unlock any iPhone. Needless to say, there are obvious security implications of this request.

Apple does not publish open letters to its customers often. Having one of the largest companies on the planet come out in support of privacy and encryption is nearly unprecedented. There is well-founded speculation this open letter to the public will be exhibit A in a supreme court case. Needless to say, the Internet has gone a little crazy after this letter was published, and rightly so: just imagine how better off we would be if AT&T said no to the NSA in 2002 – [Snowden] might just be another IT geek working for a government contractor.

There is a peculiar aspect of public discourse that doesn’t make any sense. In the absence of being able to say anything interesting, some people have just decided to add a contrary viewpoint. Being right, having a valid argument, or even having evidence to support assertions doesn’t matter; being contrary is far more interesting. Look at any comment thread on the Internet, and you’ll find the longest comment chain is the one refuting the parent article. Look up the ratings for a cable news channel. You’ll find the highest rated show is the one with the most bickering. When is the last time you saw something from the New York Times, Washington Post, or LA Times on Facebook or your favorite news aggregator? Chances are, it wasn’t news. It was an op-ed, most likely one that was espousing a view contrary to either public opinion or public policy.

As with any headline event on the Internet, the contrarians have come out of the woodwork. These contrarians are technically correct and exceedingly myopic.

Continue reading “The Contrarian Response To Apple’s Need For Encryption” →