Hacking Oracle databases using Metaspolit

Metasploit will release a module that comes as a bundle package with Metasploit framework which simplifies and automates hacking of Oracle databases. The release will be done at the Black Hat conference in Las Vegas next week.

The Oracle database is popular with large corporations and governments for recording large volumes of online transactions.

The hacking tool was developed in the open source Metasploit cooperative, which will host a seminar at the conference. According to the Metasploit website, students will learn how to create custom modules to solve specific tasks, launch widescale client-side attacks, operate a malicious wireless access point, generate custom backdoors, bypass intrusion prevention systems, and automate the post-exploitation process. The course shows how to use new features in the Metasploit software for penetration tests

Note: Reuters reported that Oracle has released a patch that protects against Metasploit. However, many firms are lax about applying patches, opening their information to hackers.

Chris Gates Metasploit co-developer showed how to attack Oracle using Metasploit. Check the video below:-

FBI: Big Brother is watching ?

It's not only hackers who sneak spyware onto unsuspecting peoples' computers. The FBI does it too, and has been for years.

Heavily redacted documents obtained by Wired magazine under the Freedom of Information Act show that the FBI has been using software it calls CIPAV — Computer and Internet Protocol Address Verifier — for nearly a decade.

Agents lure the target, usually someone who's concealing his Internet Protocol (IP) address to mask his identity, into clicking on a certain Web site, which infects his machine with the CIPAV software.

CIPAV then "phones home" to tell the FBI the target's IP address, operating system and serial number, installed software, list of recently visited Web sites, registered name and a whole lot of other stuff that's whited out in the documents.

It's been successfully used against suspected extortionists, sexual predators, bioterrorists and even one person thought to be impersonating an FBI agent.

One network of hackers who targeted a bank resisted downloading CIPAV, indicating that some, but eventually not all, of its members were wise to the FBI's ways. In another case, a hacker who'd gotten into servers at NASA and government labs turned out to be a Swedish 16-year-old.

CIPAV proved so immediately useful that way back in March 2002, a formerly classified Justice Department memo warned that "we are seeing indications that it is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and a risk of suppression) without any countervailing benefit."

Those concerns were unfounded: The spyware was still being used in 2006, according to the files, and presumably may still be today, unless it's been superseded by something even more sneaky and powerful.

Lest any privacy advocates be alarmed, the FBI got court orders each and every time they deployed CIPAV, even going to the Foreign Intelligence and Surveillance court several times when overseas targets were involved.

Credit :- Fox News

Weapons of Information disclosure:Ghostnet & Conflicker

There are two fascinating developments in the world of online security that are so sensational as to seem right out of a cyberpunk thriller.The first, the resilience of the Conficker worm, which culminates in some kind of action on April 1st 2009.The second is an incredible espionage initiative called GhostNet, which the Citizen's Lab in Toronto have helped unearth and expose to the public.

Combined these two stories depict something I've been describing as an Weapons of Information Disclosure, in which proxy forces develop new types of information based weapons and test them live on the internet. While it's never clear who the players are behind this information war, researchers are able to dissect the tools and compromised systems to portray a fascinating tale of computer-based cloak and dagger.

In the case of Conficker, we have another one of these super worms, following in the success of the Storm Worm, that is able to infect millions of windows machines and act on the bidding of it's mysterious owners. As the latest and greatest, Conficker employs a sophisticated p2p command and control system that uses military grade encryption to cover it's tracks.

The one thing that researchers have been able to determine so far is that on April 1st 2009 the Conficker infected machines are programmed to download new instructions. These instructions might be as basic as a software update, or a prank, although given the potential power of all these infected machines the possibility of a large scale attack also has to be considered.

The power that we see manifesting in these types of super worms and related phenomena forces me to ask the question of who is responsible and who benefits.How do you develop new internet based weapons in an open environment? Once you reach a certain scale of weaponry you cannot leave the testing to the laboratory alone. This is why they exploded nuclear weapons in the Pokhran deserts. Is this what we're now seeing online in terms of the latest iterations of these advanced botnets?

While there are numerous hidden layers to the internet, and multiple means by which to hide, eventually all ghosts become visible.
This is wonderfully illustrated by the report Tracking GhostNet: Investigating a Cyber Espionage Network produced by the Citizen Lab of Toronto and the SecDev group in Ottawa.

A New York Times story by John Markoff about the report is here

This report is the culmination of a 10 month investigation of alleged Chinese cyber spying against Tibetan institutions. It documents a vast suspected cyber espionage network of over 1,295 infected computers in 103 countries, referred to in the report as GhostNet. Close to 30% of the infected hosts are considered high-value political and economic targets, and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

The capabilities of the attack tools used by the GhostNet system were far-reaching, and include the ability to retrieve documents, and turn on web cameras and audio systems. The investigation was able to conclude that Tibetan computer systems were compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information, including documents from the private office of the Dalai Lama.

While this does seem sensational it should not be surprising. One also has to assume that a system like this which can be discovered is certainly not the most sophisticated or effective which would continue to go on undetected. However there is both a tension towards transparency and a power found in the openness of the internet. The more the internet is used as infrastructure as part of these larger espionage initiatives, the greater the chances they will be discovered by researchers committed to an open and democratic society.
Similarly the open source movement holds many lessons and examples that provide insight into how technology evolves and influences the tools that people choose to use. We have to remember that as these new weapons are developed we can only speculate on who will choose to use and help further refine their capabilities.

This is well summarized by a quote I found via the NYtimes article

“What Chinese spooks did in 2008, Russian crooks will do in 2010 and even low-budget criminals from less developed countries will follow in due course,” the Cambridge researchers, Shishir Nagaraja and Ross Anderson, wrote in their report, “The Snooping Dragon: Social Malware Surveillance of the Tibetan Movement.

Credit :-
Jesse Hirish

XSS attack using IFRAMES

Today I found myself as one of the XSS (cross site scripting) attack victims. Though I am a techie and my domain is also web I never felt the gravity of this issue earlier.

I got the infection from my ISP’s website. I have to login into my ISP’s website in order to connect to internet. For quite a few days I had been experiencing a huge delay in login. Sometimes even after successful login I couldn’t browse any page while other applications like mail client & messenger worked normally. Luckily this time I got my eyes on browser’s status bar while waiting for successful login confirmation. I noticed a request to an external URL http://mk.cxaaaa.cn. It was weird for two reasons. First it makes no sense to communicate with an external server while engaging in login process with ISP’s server. Second which makes it more suspicious is the server you are communicating with is outside the country when the actual server responsible for authentication & login is a part of local network. After this I began the dissection of login page. The page was designed using IFRAMES, Yuck! But the more strange thing was nested IFRAMES. In one of the nested IFRAME’s content I got the following javascript code in header section.

The first thing I did after this was to directly access this javascript source. I know it is risky & stupidity to access such resources. But it didn’t come to my mind at that moment. Luckily I was using Firefox and it blocked access to it. This is a security feature in modern browsers to default block the blacklisted resources. In case of Mozilla it refers to the data maintained by Google and StopBasware.org. After this I did some googling with this URL and it confirmed the XSS attack.

1) Use firewall
2) Firefox has two great add-ons NoScript and RequestPolicy to address such XSS threats.

Privacy what's that ..?

Reference to an brilliant article on the CNet Blogs, Chris Soghoian writes on Privacy: What should Google do?

I have one question, one comment, and one look into the future.

Question: We might be able to trust Scroogle not to steal our search queries and tie them to an individual (i.e. an invasion of privacy), but how do we prevent Google/Scroogle (or any organization for that matter) from using stolen search queries as a sociological reference (for everything from marketing Adwords to possible propaganda)? How do we trust anyone with the ability to display, collect, and harvest this kind of data?

Comment: Scroogle is all well and good. They support up to 130k searches per day, 10 percent SSL — great! However, Google is on a different scale. It appears that there would be interest on Google’s part to create a less well-known “Secure Google/GMail”. If it becomes too widely known, and they cannot monetize from it — it doesn’t make sense for them to keep running it.

Future look: the time period between 1960 and 2060 will not be known as the information age. It will be known as the “lack of privacy” age. Our children’s children will know how to protect their privacy. Today, I can easily deduce a person’s first name, last initial, and city they live in both online and off. Using Google, Pipl.com, Paterva, et al — it is easy for me or anyone to perform a Sweeney attack. It is no longer necessary to have very detailed information (such as zip code, DOB) , or even know the correct spelling of a person’s name.

I’m fairly certain that my medical information, email, and search queries are in the top three pieces of information that I would like to keep private (besides my full name,DOB). A credit card can be replaced. I can get a new passport or driver’s license. Fortunately, I was never in the military — which has been a notorious problem for veterans, whose privacy is almost an open door. Lolzzzzzzzzzzz.

Replacing your DOB, or full name is nearly impossible if you have been a victim of identity theft. It quickly becomes additionally impossible to pass a credit check or sell your home. However, there are workarounds to these such as changing your name. We are beginning to understand the problem.

I don’t feel that we fully understand the value of our search queries — as individuals, companies, and civilizations. Search queries are your thoughts; they are our thoughts. Will this empower us, or will it destroy us? Will it enable an organization similar to the Thought Police in 1984? I think that if we’re not careful, then it most certainly will.

Fundamentals steps to secure an environment...

Most environments I encounter in my everyday job had one common issue i.e. they are difficult to secure ,they are complex, heterogeneous, lack of inventory management, have a great number of dependencies, & are decentralized etc.....etc.

These are some of the steps one can follow to create a secure environment. Consider the possibility to create a new parallel environment and migrate into it, it´s sometimes the only way if you really wants to succeed!

Steps to a secure IT-environment:

Standardise, centralize and modernize your environment.
-A Standardized and centralised environment is a lot easier to manage and monitor, therefore easier to secure. Modern hardware, operating systems and application are often more secure and easier to manage. A good time to initiate this project could be when you move to Windows Server 2008/Windows Vista platforms/Windows7.

Segment and harden the perimeter. (Layer 3 is not enough!)
Consider application inspection and monitoring. White listing whenever possible (As oppose to blacklisting). Segment the perimeter (Why should a compromised DNS-server on the DMZ be able to make direct connections to a Mail-server on the DMZ?)

Segment and harden the network layer
Implement internal segmentation and isolation. Why should an ordinary client be able to connect to back-end SQL-servers? (Most internal networks are not "trusted", think of it as internet, only expose front-end-services). Why should a client be able to connect directly to another client? (This is a vector for hacker-attacks and worms, enforce local firewall rules to prevent this) A combination of IPSEC, VLAN segmentation/ Internal ISA-Server Segementation/ Local Firewalling can be used for network layer hardening

Role-base and harden servers, clients, services and applications
-If you role base Clients, servers, services and applications they will become easier to manage, harden, monitor and delegate administration to. Use hardening according to the corresponding security guides, Use local firewalls.

Enforce a restrictive software deployment&execution policy.
Vulnerable or trojaned applications can lead to system compromise. Make sure that you only use quality applications in your environment. Use a centralized process so that you can keep inventory.

Patch everything!
Since you are enforcing a good software deployment process it´s easy to implement a good patch management process, where you make sure that you are able to patch/mitigate all known threats to your installed software. Remember that network appliances and similar also have software installed, Patch EVERYTHING!

Implement strong authentication on exposed services
Easy-to-guess passwords, weak network authentication protocols etc. are common reasons for system/application compromise. PKI-based smartcards/OTP etc. are stronger alternatives to ordinary passwords. Legacy applications can be terminalized, virtualzed, proxified or tunneled in IPSEC/VPN to make use of stronger authentication.

Delegate administration and data access according to least privilege
If an account gets compromised the attacker will be able to do everything that account has rights and permissions to do. Enforce least privileges everywhere, avoid unnecessary dependencies and remember that a users credentials are always exposed on the system he is logged on to.

Audit and monitor critical computers, users and services
You want to know if your systems are attacked, you want to be able to analyse logs if a system has been compromized. Real-time logging to a non-dependent, secure system is always a good thing. (Separation of duties ensures that a hacker cannot alter logs)

Encrypt hard drives on exposed computers
-If a computer is ever left unattended and potentially exposed to someone untrusted it should use strong hard drive encryption and be turned off at the time of exposure.

Educate users
If the users practice restrictive interaction with untrusted websites, application, devices and people you will decrease the attack surface drastically.

Implement understandable and accessible policies and processes
Almost nobody will read a 200 page it-security policy document that is not even possible to enforce in the real-world. Implement a easy to read policy that presents relevant information to easch role in the company, And limit the pages that every role gets to a minimum. (May be the receptionist needs 2 pages while the it-support guy needs 6 pages..)

Of cource there are more things that could be done, Consider this a simple "draft" Feel free to comment this post, we can all complete the list together. :)

Biggest Vulnerability:Humar Error !!

I had a roundup of posts on Windows’s latest Beta OS release, Windows7, and the security “features” that went into it, where they fall short, and what’s missing. To summarize the post, this is what’s required for the “trojan” to pwn you:

1. Go to a malicious site.
2. Get prompted to install software.
3. Choose to install it.
4. Put in your admin password when it asks for it.
5. Get pwned.

So this brings me to, “an operating system is only as secure as the idiot using it.” I’m tired of arguing about the security of Windows versus Linux versus OS X. They’re pretty much all the same, and they’re all insecure. A competent user or sysadmin managing it will limit the number of services running and ports open, install only signed/verified applications, and practice safe browsing. This won’t protect you or them from an 0day.

Whether your grandma is more secure using one OS over another, again… it’ll only be as secure as she can be. With more and more vulnerabilities exploiting the browser and targeting the user, no OS is secure.

Build a Lab using De-ICE Pen Test LiveCD's

I have been looking for a way to create a training type program for a small corporate penetration testing team. The problem is that the people that conduct internal penetration tests within small and large corporations are usually part of a larger Information Security department. These are the people that usually have to wear many hats in Info Sec, not to mention that they have to do other things as well. This all leads to a decrease in time and hence, skill set! Since the corporate guys (and gals) don't conduct pen tests everyday or every week (like our consulting brethren) there needs to be some sort of training program that corporate pen tester's can use to keep their skills up-to-date.

The training program needs to consist of the following:

- Easy to setup in a lab or virtual environment.
- Scenario based challenges that replicate real world situations.
- A "level" type of achievement system. Levels should build upon one another.
- Real hacking tools need to be pre-installed and ready to use, no time to mess with configurations.
- Scenario's that make you actually learn the tools and to think "outside the box".
- Scenario's need to be challenging and fun!

These are some of the high level requirements that I was looking for when it came to developing this training program.

I was lucky enough to grab the video copy of the Defcon conference held in Vegas and manage to saw an webcast of a presentation entitled "Turn-Key Pen Test Labs" by Thomas Wilhelm. Thomas described these LiveCD's (bootable on any kind of "intel" hardware) in which you can create your own pen test lab with some great real world scenarios. Thomas basically took scenarios that he did in real life pen testing assignments, recreated and re-engineered these on the LiveCD's. What a fantastic idea! The LiveCD's are based off of Slax. They contain real, live running services like telnet, ssh, ftp, etc..and even include a web server. So what do you do with the LiveCD once you pop it into a machine? You use Backtrack 3! Backtrack 3 is a LiveCD which contains over 300 tools pre-installed and ready to use. No need to configure anything. So..setup a small lan with two computers and a dhcp server and you are all set.

One thing I wanted to do was take the LiveCD's that Thomas put together and create the lab environment in VMware. That way you can have the Backtrack 2 LiveCD and the De-ICE Pen Test LiveCD's all on a virtual network contained on one laptop or desktop. Perfect for the corporate pen tester! I found (through the forums on Thomas' website) that there were lots of questions and/or problems with setting up a virtual network to run the testing environment so I put together a document which guides you through the setup of the network and the LiveCD's. This is the setup that I have used for the LiveCD's and it has been working out great! One thing to note about my setup. I am running VMware Workstation 5.5 on Suse 10.2. These instructions should work with VMware Workstation 6 and server as well. I note that the Windows version is similar. I will need to update the document with the Windows instructions as well. This is version 1.0 so I plan on releasing updates to this in the future.

So where do you find all of this stuff?
You can download the De-ICE LiveCD's from the De-ICE website here. There are also some really good "spoiler" and help forums if you get stuck. Thomas has done a great job on these LiveCD's so please support his website and the forum community that is growing around these CD's. I encourage you to learn more about these LiveCD's and get involved with helping create scenarios for future LiveCD's.

VMware Documentation for De-ICE Pen Test LiveCD's
The VMware Configuration Document I created is available for download in of here.