XSS attack using IFRAMES

Today I found myself as one of the XSS (cross site scripting) attack victims. Though I am a techie and my domain is also web I never felt the gravity of this issue earlier.

I got the infection from my ISP’s website. I have to login into my ISP’s website in order to connect to internet. For quite a few days I had been experiencing a huge delay in login. Sometimes even after successful login I couldn’t browse any page while other applications like mail client & messenger worked normally. Luckily this time I got my eyes on browser’s status bar while waiting for successful login confirmation. I noticed a request to an external URL http://mk.cxaaaa.cn. It was weird for two reasons. First it makes no sense to communicate with an external server while engaging in login process with ISP’s server. Second which makes it more suspicious is the server you are communicating with is outside the country when the actual server responsible for authentication & login is a part of local network. After this I began the dissection of login page. The page was designed using IFRAMES, Yuck! But the more strange thing was nested IFRAMES. In one of the nested IFRAME’s content I got the following javascript code in header section.

The first thing I did after this was to directly access this javascript source. I know it is risky & stupidity to access such resources. But it didn’t come to my mind at that moment. Luckily I was using Firefox and it blocked access to it. This is a security feature in modern browsers to default block the blacklisted resources. In case of Mozilla it refers to the data maintained by Google and StopBasware.org. After this I did some googling with this URL and it confirmed the XSS attack.

1) Use firewall
2) Firefox has two great add-ons NoScript and RequestPolicy to address such XSS threats.

Privacy what's that ..?

Reference to an brilliant article on the CNet Blogs, Chris Soghoian writes on Privacy: What should Google do?

I have one question, one comment, and one look into the future.

Question: We might be able to trust Scroogle not to steal our search queries and tie them to an individual (i.e. an invasion of privacy), but how do we prevent Google/Scroogle (or any organization for that matter) from using stolen search queries as a sociological reference (for everything from marketing Adwords to possible propaganda)? How do we trust anyone with the ability to display, collect, and harvest this kind of data?

Comment: Scroogle is all well and good. They support up to 130k searches per day, 10 percent SSL — great! However, Google is on a different scale. It appears that there would be interest on Google’s part to create a less well-known “Secure Google/GMail”. If it becomes too widely known, and they cannot monetize from it — it doesn’t make sense for them to keep running it.

Future look: the time period between 1960 and 2060 will not be known as the information age. It will be known as the “lack of privacy” age. Our children’s children will know how to protect their privacy. Today, I can easily deduce a person’s first name, last initial, and city they live in both online and off. Using Google, Pipl.com, Paterva, et al — it is easy for me or anyone to perform a Sweeney attack. It is no longer necessary to have very detailed information (such as zip code, DOB) , or even know the correct spelling of a person’s name.

I’m fairly certain that my medical information, email, and search queries are in the top three pieces of information that I would like to keep private (besides my full name,DOB). A credit card can be replaced. I can get a new passport or driver’s license. Fortunately, I was never in the military — which has been a notorious problem for veterans, whose privacy is almost an open door. Lolzzzzzzzzzzz.

Replacing your DOB, or full name is nearly impossible if you have been a victim of identity theft. It quickly becomes additionally impossible to pass a credit check or sell your home. However, there are workarounds to these such as changing your name. We are beginning to understand the problem.

I don’t feel that we fully understand the value of our search queries — as individuals, companies, and civilizations. Search queries are your thoughts; they are our thoughts. Will this empower us, or will it destroy us? Will it enable an organization similar to the Thought Police in 1984? I think that if we’re not careful, then it most certainly will.

Fundamentals steps to secure an environment...

Most environments I encounter in my everyday job had one common issue i.e. they are difficult to secure ,they are complex, heterogeneous, lack of inventory management, have a great number of dependencies, & are decentralized etc.....etc.

These are some of the steps one can follow to create a secure environment. Consider the possibility to create a new parallel environment and migrate into it, it´s sometimes the only way if you really wants to succeed!

Steps to a secure IT-environment:

Standardise, centralize and modernize your environment.
-A Standardized and centralised environment is a lot easier to manage and monitor, therefore easier to secure. Modern hardware, operating systems and application are often more secure and easier to manage. A good time to initiate this project could be when you move to Windows Server 2008/Windows Vista platforms/Windows7.

Segment and harden the perimeter. (Layer 3 is not enough!)
Consider application inspection and monitoring. White listing whenever possible (As oppose to blacklisting). Segment the perimeter (Why should a compromised DNS-server on the DMZ be able to make direct connections to a Mail-server on the DMZ?)

Segment and harden the network layer
Implement internal segmentation and isolation. Why should an ordinary client be able to connect to back-end SQL-servers? (Most internal networks are not "trusted", think of it as internet, only expose front-end-services). Why should a client be able to connect directly to another client? (This is a vector for hacker-attacks and worms, enforce local firewall rules to prevent this) A combination of IPSEC, VLAN segmentation/ Internal ISA-Server Segementation/ Local Firewalling can be used for network layer hardening

Role-base and harden servers, clients, services and applications
-If you role base Clients, servers, services and applications they will become easier to manage, harden, monitor and delegate administration to. Use hardening according to the corresponding security guides, Use local firewalls.

Enforce a restrictive software deployment&execution policy.
Vulnerable or trojaned applications can lead to system compromise. Make sure that you only use quality applications in your environment. Use a centralized process so that you can keep inventory.

Patch everything!
Since you are enforcing a good software deployment process it´s easy to implement a good patch management process, where you make sure that you are able to patch/mitigate all known threats to your installed software. Remember that network appliances and similar also have software installed, Patch EVERYTHING!

Implement strong authentication on exposed services
Easy-to-guess passwords, weak network authentication protocols etc. are common reasons for system/application compromise. PKI-based smartcards/OTP etc. are stronger alternatives to ordinary passwords. Legacy applications can be terminalized, virtualzed, proxified or tunneled in IPSEC/VPN to make use of stronger authentication.

Delegate administration and data access according to least privilege
If an account gets compromised the attacker will be able to do everything that account has rights and permissions to do. Enforce least privileges everywhere, avoid unnecessary dependencies and remember that a users credentials are always exposed on the system he is logged on to.

Audit and monitor critical computers, users and services
You want to know if your systems are attacked, you want to be able to analyse logs if a system has been compromized. Real-time logging to a non-dependent, secure system is always a good thing. (Separation of duties ensures that a hacker cannot alter logs)

Encrypt hard drives on exposed computers
-If a computer is ever left unattended and potentially exposed to someone untrusted it should use strong hard drive encryption and be turned off at the time of exposure.

Educate users
If the users practice restrictive interaction with untrusted websites, application, devices and people you will decrease the attack surface drastically.

Implement understandable and accessible policies and processes
Almost nobody will read a 200 page it-security policy document that is not even possible to enforce in the real-world. Implement a easy to read policy that presents relevant information to easch role in the company, And limit the pages that every role gets to a minimum. (May be the receptionist needs 2 pages while the it-support guy needs 6 pages..)

Of cource there are more things that could be done, Consider this a simple "draft" Feel free to comment this post, we can all complete the list together. :)

Biggest Vulnerability:Humar Error !!

I had a roundup of posts on Windows’s latest Beta OS release, Windows7, and the security “features” that went into it, where they fall short, and what’s missing. To summarize the post, this is what’s required for the “trojan” to pwn you:

1. Go to a malicious site.
2. Get prompted to install software.
3. Choose to install it.
4. Put in your admin password when it asks for it.
5. Get pwned.

So this brings me to, “an operating system is only as secure as the idiot using it.” I’m tired of arguing about the security of Windows versus Linux versus OS X. They’re pretty much all the same, and they’re all insecure. A competent user or sysadmin managing it will limit the number of services running and ports open, install only signed/verified applications, and practice safe browsing. This won’t protect you or them from an 0day.

Whether your grandma is more secure using one OS over another, again… it’ll only be as secure as she can be. With more and more vulnerabilities exploiting the browser and targeting the user, no OS is secure.

Build a Lab using De-ICE Pen Test LiveCD's

I have been looking for a way to create a training type program for a small corporate penetration testing team. The problem is that the people that conduct internal penetration tests within small and large corporations are usually part of a larger Information Security department. These are the people that usually have to wear many hats in Info Sec, not to mention that they have to do other things as well. This all leads to a decrease in time and hence, skill set! Since the corporate guys (and gals) don't conduct pen tests everyday or every week (like our consulting brethren) there needs to be some sort of training program that corporate pen tester's can use to keep their skills up-to-date.

The training program needs to consist of the following:

- Easy to setup in a lab or virtual environment.
- Scenario based challenges that replicate real world situations.
- A "level" type of achievement system. Levels should build upon one another.
- Real hacking tools need to be pre-installed and ready to use, no time to mess with configurations.
- Scenario's that make you actually learn the tools and to think "outside the box".
- Scenario's need to be challenging and fun!

These are some of the high level requirements that I was looking for when it came to developing this training program.

I was lucky enough to grab the video copy of the Defcon conference held in Vegas and manage to saw an webcast of a presentation entitled "Turn-Key Pen Test Labs" by Thomas Wilhelm. Thomas described these LiveCD's (bootable on any kind of "intel" hardware) in which you can create your own pen test lab with some great real world scenarios. Thomas basically took scenarios that he did in real life pen testing assignments, recreated and re-engineered these on the LiveCD's. What a fantastic idea! The LiveCD's are based off of Slax. They contain real, live running services like telnet, ssh, ftp, etc..and even include a web server. So what do you do with the LiveCD once you pop it into a machine? You use Backtrack 3! Backtrack 3 is a LiveCD which contains over 300 tools pre-installed and ready to use. No need to configure anything. So..setup a small lan with two computers and a dhcp server and you are all set.

One thing I wanted to do was take the LiveCD's that Thomas put together and create the lab environment in VMware. That way you can have the Backtrack 2 LiveCD and the De-ICE Pen Test LiveCD's all on a virtual network contained on one laptop or desktop. Perfect for the corporate pen tester! I found (through the forums on Thomas' website) that there were lots of questions and/or problems with setting up a virtual network to run the testing environment so I put together a document which guides you through the setup of the network and the LiveCD's. This is the setup that I have used for the LiveCD's and it has been working out great! One thing to note about my setup. I am running VMware Workstation 5.5 on Suse 10.2. These instructions should work with VMware Workstation 6 and server as well. I note that the Windows version is similar. I will need to update the document with the Windows instructions as well. This is version 1.0 so I plan on releasing updates to this in the future.

So where do you find all of this stuff?
You can download the De-ICE LiveCD's from the De-ICE website here. There are also some really good "spoiler" and help forums if you get stuck. Thomas has done a great job on these LiveCD's so please support his website and the forum community that is growing around these CD's. I encourage you to learn more about these LiveCD's and get involved with helping create scenarios for future LiveCD's.

VMware Documentation for De-ICE Pen Test LiveCD's
The VMware Configuration Document I created is available for download in of here.