Friday 28 February 2014

ABS-FITA Cyber Security Seminar - Presentation

ABS-FITA : Cyber Security Seminar - An Experience


It was such a great honor to be invited to demonstrate our capabilities to the masses at the seminar. Believe it or not, although the demo was only 1 hour, it took me over 100 hours just to prepare the setup, ensuring my payloads work and the Anti Virus applications can be bypassed. The preparation was not as smooth as i hoped it would be.



The first time i prepped it and then showed it to a colleague, all failed! My Backtrack Linux wasn't working, the Xenotix unexpectedly hanged and it was such a mess. Then after hours and hours of reinventing the wheel, feeling confident and showed it to the internal staffs, again, it failed! Why? Why? Why?

Then came the day the organizers from the ABS-FITA to see the demo in the office. I prayed and i prayed and i prayed, please dont fail.. and thank God! It went smooth!


The 'Rehearsal'

The organizers told us to come as early as 7am to prep the stage and ensure the projectors and sound are all working. Well, to ensure that i would not be late by our 'reliable' MRT, i had to wake up as early as 4 am and leave the house at 5.15am reaching the Ritz Carlton hotel at 5.40am! There was no one around in the hall but without wasting time, i set up my machines and do a trial run on the whole demo process. Smooth...

During the Talk

While the event already started, instead of listening to the speaker, i was at the speaker's table with my two notebooks on, rerunning my demo process. Smooth....

During Lunch

Our presentation was scheduled at 4pm. In other words, we had 4 more hours before our turn. Everyone went to lunch but i was busy on stage testing my network (4G) connection and ensuring that i am able to send traffic within the tethered network environment.... Smooth...

Showtime

So when our turn begins, i was very nervous or in Hokkien (Gan Cheong), because i really really hope it will work. The problem was, its easier and more environment friendly doing the demo in front of an audience of hackers as they would understand if and when a Demo fails. But presenting it to an audience of business level, i need to ensure that everything must be perfect end to end... And here's the thing, it was all perfect until the part when i tried to connect into the database server's shell but connection was reset. I was like, Oh No! but my colleague who did all the talking coolly said "Looks like the connection was out, but he will try again. Not every hack is a perfect hack". And when i enter 'Exploit' and hit the Enter button.. loading...loading...loading and YES it went through!!! Total 'downtime' was 10 seconds! Phew!!!








Conclusion

I was glad to be able to show everything completely and as feedback-ed by the organizers "it was the highlight of the event". Some of the people came up to us and said they enjoyed the demo. Some said it opened their eyes after seeing it live. And finally, unexpectedly, i received a speaker's gift by the organizer... a Mont Blanc wallet! How nice!!

Next Week: Presentation @ Websense! 
Link: http://app.certain.com/profile/web/index.cfm?PKWebId=0x5770881342&varPage=info
Link to pictures: http://centres.smu.edu.sg/fita/events/photos-videos/cyber-security-seminar/

Wednesday 19 February 2014

Curiosity Killed the Cat 5 Network

Last year, i wrote a technical article entitled 'Social Engineering: Penetration Testing the Human Element' to Pentestmag.com which focused on the process of social engineering assessment using the art of deception and how easy it could be with simply a smile accompanied by an act of confidence.

In the book by Kevin Mitnick, 'The art of deception', he dives deep into that art and shares the tricks he used to deceive people into giving him vital information. Not only did he succeed into tricking the common employees, he also managed to trick security administrators, managers, CIOs and other people holding top position in organizations.

Then again, not many can be as charming, as confident and as cunning as Kevin be it from tele conversation or face to face meetings. Thats when hackers use the art in other forms; from cloning a website and hoping someone fall for it (phishing) to sending malicious links or attachments via emails and crossing their fingers hoping someone clicks on it.

Earlier this month, KrebsonSecurity reported that the famous hack and breach at Target could be the result from an email attack, a malware-laced email phishing attack sent to employees.[1]


These trend of users easily falling prey to social engineering tactics even led to a vendor suggesting to punish careless employees to reduce security breaches. [2]



Looking back at the past, the spread of malware such as the famous 'I love you' virus, the 'Melissa' and the 'Zeus' viruses were all being spread via invoking the curiosity of humans. A single click. Thats all it takes.  And thanks to this curiosity, those viruses managed to spread over 50 million computers worldwide. Even important organizations such as the Pentagon, the CIA and the British Parliament were not spared. [3]

Employees play a huge role in ensuring the security of the organizations. 

Organizations may have placed the best security mechanism to block from any external intrusion but if one thing hackers learn from history is that they have evolved into attacking the human curiosity first because it is much easier to fool a person than a system. Like i wrote above, one click is all it takes to bring the organization down to its knees. 

To quote the security rockstar Bruce Schenier, "Amateurs hack systems. Professionals hack people." 

References:

Saturday 8 February 2014

XSS (Cross Site Scripting) Vulnerability Found in Dell.com

According to OWASP, Cross-Site Scripting (XSS) attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page

From: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

On May 28th 2013, an XSS vulnerability on Dell.com website was found and posted at pastebin.com.

(screenshot of the XSS on Dell)

As of now, the XSS vulnerability is fixed and could not be reproduced. However, on Jan 20th 2014, a security analyst by the name of Jordan Jones found the same issue on a different page of the same website and posted a screen shot of the POC on Twitter.

(the twitter post by Jordan Jones)

(the executed vulnerability)

He was kind enough to inform Dell Security team via Twitter about the vulnerability which led Dell to inform him the person to contact.

(Jordan Jones interaction with Dell Security)

At the same time, he also posted more information about the vulnerability on pastebin.com 

(more information about the vulnerability)

Further injection of script can be tested on the parameter besides the window alert as screengrabbed by Jordan Jones. Below, is another way to exploit the vulnerability. By injecting an image to the parameter which leads to this:

(image injection to the vulnerable parameter)

To date, Dell has yet to fix this vulnerability. XSS is a serious vulnerability that is rated as High or Critical by most vulnerability scanners including Qualys and Acunetix and a well known company like Dell should fix this vulnerability as soon as possible.