What is the way forward?

Bradley Manning to Snowden, GCHQ to NSA,CISCO to Huawei, Private to Government over the past one year we have been regularly hearing news about snooping, bug implants, government agencies trying to collect sensitive information about different agencies across the world, Private vendors spying on its customer etc. such news  are quite worrisome for individuals, customers, corporate, for someone who is from the information security industry. 

Few important questions arise from such incidents:

• How do we protect ourselves from such incidents?
• Whom do we trust?
• What is the way forward?
• Should be move back to traditional security practices?
• Where do we find the balance?

In recent news president Obama would be not staying at Waldorf Astoria hotel for the UN General Assembly. Traditionally this hotel has housed all the presidents from Hoover till today but recent acquisition by a Chinese owner has put concerns over security.

Another report was about Cisco routers shipped with backdoor implanted and similar news was about well-known Chinese manufacture Huawei whose devices were reported to have backdoor. Which reports are right or wrong, who is to blame for all this is a different debatable topic all together but the question of the hour is how do we protect ourselves? 

Should corporates invest more time and money and start investing in manufacturing their own hardware devices? Should we stop trusting everyone? Should an individual move to exchanging hand written cryptographic letters?

I would really like to hear thoughts and solutions from the security community about such events and way forward for a SAFER & BETTER Internet!!!

P.S.- Our next post is about an ISP failing to implement security controls and leaking sensitive information.

Sources:-

• http://edition.cnn.com/2015/09/11/politics/obama-waldorf-astoria/
• http://arstechnica.com/security/2015/09/attackers-install-highly-stealthy-backdoors-in-cisco-routers/
• https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html
• http://www.zdnet.com/article/former-pentagon-analyst-china-has-backdoors-to-80-of-telecoms/
• http://blogs.wsj.com/washwire/2013/08/21/what-bradley-manning-leaked/
• http://www.bbc.com/news/world-us-canada-23123964

Linked(in)-Engineering

Social Engineering is the term associated with security since the early 1800’s one of the most iconic personal was Samuel Williams who used to con people of their personal valuables by simply asking to keep it with him. He was termed as the “confidence man” by the tabloids in that era, another such example is of Joseph Weil who ran various scams with help of social engineering and one of his famous scam was to con the great Benito Mussolini for over $ 2 Million.  In today's world movies such as “Catch me if you can” & “Identity Theft” highlight the damage that is possible via such attacks and are great examples of what is information is to be kept private & what information to be kept public.

With the passage of time the tools for information gathering/engineering have changed drastically, while one might say technology has come a long way in dealing with such attacks but there is also other side of it. In this age of information sharing with likes of Facebook, Instagram, Whatsapp, Twitter, Linkedin etc. the art of social engineering has gone to a different level. There is tremendous amount of personal information that is shared with the world on such websites & applications. It has become now much easier for people to perform identity theft as private information of personals is right at their fingertips.  Such information is quite a threat to an individual as well to an organization one such example is the recent security breach that happened at RSA. RSA claims that phishing emails were sent to a group of few targeted employees to gain access into the company’s network. This breach put a question on the RSA- Two factor authentication token algorithm as confidential information regarding it was compromised. It not only affected RSA but several other companies who were using RSA authentication infrastructure/mechanism, it cost them over $ 70 million to recover from this attack.

Social Engineering Simplified

Among these information sharing, networking platforms one such popular platform is Linkedin.  Linkedin is professional networking platform with over 350 million users. It is widely used by industry professional to connect with other and exchange informative data.  From a attackers perspective this can be quite a useful platform to mine important information. It can be also used to attack or target a specific individual or an organization.  Keeping this in mind we did a bit of sniffing among our own Linkedin network & about 15 mins of sniffing were astonished with the results that we got. 

 Profile of Chief of Staff

Information Security Professionals Sharing Their Personal Info

Higher Authority at World Bank Sharing Family Pictures

 The above images are just a small highlight of the heap of information that we could gather. One could collect information regarding the Office of President, decision makers at World Bank sharing their private family pictures , people at various levels in different organizations sharing their personal contact details , there are discussions in groups were people are discussing/sharing confidential company information or issues. All this put togather can be very useful intel and can cause serious damage to individual or an organization ,personally as well as professionally.

Most of you by now would be thinking that your organization has specific training & guidelines put into place which stops such vital information from being shared i.e. where PRIVACY is addressed. Well hold your horses right there well don’t you think the president’s office,world bank etc. wouldn’t have such guidelines or training in place? Most of the organizations around the world have some or other training program or guidelines for their employees which address the issues of information sharing & privacy, but the problem comes with regular evaluation. Only a handful of organizations undertake the task of evaluating the information shared by its employees at regular intervals or rather evaluating their learning from the training or guidelines provided to them. If such regular evaluation process is put into practice it will be very difficult for an attacker to carry out social engineering attacks as well as individual & organizational privacy will be maintained.

Note: This blog post is not targeted against any individual or organization and is strictly for informational purposes. If you find any offensive or objectionable material relating yourself/organization kindly write to us info@securitytheorem.com. And we shall take necessary steps. 

Logjam: All you need to know

Over the past couple of years the industry is regularly presented with SSL/TLS vulnerabilities and each of them has a unique name/buzzword to it. Some of the past buzzwords have are BEAST, FREAK, POODLE, LUCKY THRITEEN & The latest being “Logjam”. In this post we shall explain as to what exactly is Logjam? Is it actually a threat or just another vulnerability jargon? And lastly we shall explain you how to check if you are vulnerable & mitigate the vulnerability.

Logjam –The Vulnerability

The Logjam vulnerability is a TLS vulnerability found in the “Diffie-Hellman-Merkle” cipher. The attack is much similar to the recent FREAK attack in which the client & server are tricked into using a downgraded export cipher. As mentioned above in our case client-servers using 512 Bit -DHM export grade ciphers are vulnerable. So now we need to understand what is an EXPORT GRADE cipher? Technically speaking none of the ciphers are export as during a connection end to end encryption is being used as well as necessary protocols are put into place. But the cryptographic keys that are used into the ciphers are deliberately weakened so that they can be cracked upon later when required. 

In the 90’s government agencies used to sell software to its enemies using such keys (Export grade) which when need they could crack and monitor their enemies. Later in the year 2000 the US government abandoned the use of such ciphers, but by that time they had already flourished into the industry and where used in many products at different levels. So organizations also had to keep providing support for the ciphers. The problem with export grade is that over the years the computational power increased but the key lengths were not increased.

Why “Logjam”?

The DHM algorithm that is exploited by the vulnerability uses mathematical calculations known as discrete logarithms, short for which are “logs”. The attack uses special logs to jam bogus messages into the data to crack the communication, hence the name “Logjam” was derived.

Logjam - What it takes to launch a successful attack?

One of the most important things to exploit this vulnerability is to have or be able to generate exceptional computing power which can be equivalent to government security agencies or the computational power available at big universities. Let us assume that we have the request power available at our disposal, nevertheless still there are many scenarios which need to be in place for this attack to successful:

• The attackers must select the target beforehand and must be listening to their traffic before performing the attack.
• It is also necessary for the attacker to be already having established the “Man in the Middle” connection or be able to immediately establish once the targets start talking to each other. For e.g. if the attacker is at a coffee shop and listening to the traffic, if his targets are not yet decided or is still not in a position to establish a “Man in the Middle” connection the possibility of finding the same target again is quite rare.
• The attacker needs to have pre computed values that the client will be using or need to have exceptional computational power.

Are you “Vulnerable”?

There are various free tools and website which will help you test your servers, browsers etc. against this attack :

• Keycdn - https://tools.keycdn.com/logjam
• Weakdh - https://weakdh.org/
• Qualys Labs - https://www.ssllabs.com/ssltest/index.html

Open source software’s such as OpenSSL or Nmap can also be used to detect the vulnerability. The commands for them are:

• Open SSL:  openssl s_client -connect www.[yourwebsite/server].com:443 -cipher "EDH" | grep "Server Temp Key"

In the above case if the key is less than 2048 than one should consider themselves to be vulnerable as now a days even 1024 bit keys can be cracked. If the connection fails in the above command than it would mean that there is no support for the DHM on the server and you are safe. 

Now another check that is to be done with open SSL is to check if there is support for export grade ciphers disabled:

• Command : openssl s_client -connect www.example:com:443 -cipher "EXP"

In this case if the connection is successful than it means export grade is enabled and one needs to disable it.

For Nmap users the command would be:

• Nmap : nmap --script ssl-enum-ciphers -p 443 www.example.com | grep EXPORT

The researchers who found this vulnerability have come up with a good guide to securely implement the DHM algorithm and defend against the Logjam vulnerability:

• https://weakdh.org/sysadmin.html

Our Take

We understand that you might be vulnerable to Logjam. But we would recommend you not rush into patching this vulnerability. William Murray a well-known information assurance trainer as nicely said in his recent article “Not all vulnerabilities are problems; not all problems are of same size”.  It might be easy for a security agency to crack a 512 or 1024 Bit key but it is also quite expensive for them. When thinking of patching your systems keep in mind the 3rd rule of Adi Shamir “People do not break crypto, they bypass it.” 

Sources: 

• https://nakedsecurity.sophos.com/the-logjam-vulnerability-in-tldr-format/
• http://security.stackexchange.com/questions/89773/how-to-check-if-a-server-is-not-vulnerable-to-logjam
• http://www.techrepublic.com/article/logjam-tls-vulnerability-is-academic-not-catastrophic/
• http://www.bankinfosecurity.com/logjam-vulnerability-x-facts-a-8249/op-1
• https://weakdh.org/sysadmin.html

Android Backup Path Traversal Attack

A vulnerability found by Imre Rad and reported almost 10 months ago came to light before a week. All the android devices running versions below 5.0 are vulnerable to the attack that we shall be discussing further.

ADB stands for Android Debug Bridge which is a command line interface used to communicate with your android device. Using ADB one can add files,views files, delete data,give certain system commands etc. One such command that is used widely is the backup command.  With adb backup a complete back up of your android device is created and stored on your computer. And with the adb restore  command user can restore the full backup when needed.

A vulnerability was found in the way debug bridge handles the storage and retrieval process of the backup. In ADB this process is handled by Backup Manager Service, when a backup is created it is stored with .TAR extension.

If the header of the TAR file is modified and given a path of a malicious file. Then when a backup is restored it the original file will be over written and user shall have a malicious file on the device. To have a better understanding an example is:

Original File Header Path:

Original Value

Apps/com.andriod.settings/foo

Changed Header:

Apps/com.andriod.settings/foo/../../../data/system/hacker.txt

Malicious Value

In the above example we have added  “../../” and the file path to the original header. 

To restore we need to first pack our .tar file with the following command:
java -jar abe.jar pack [tar filename][backup filename]

Our tar file packed

Now restore the backup with following command:
adb restore [filename]

Backup restore

Backup Restore Message in Device

Now on restoration of backup the malicious file will be loaded on to the system.

However there are certain pre conditions for the exploit to work :

• The header checksum must match.
• The partition on which the retrieval is taking place must be mounted as a writeable partition for e.g. /System would not work but /data would work as it is a writeable partition.
• The files will not overwrite if it owned by root. This is because the process which is restoring is running as the same user as the package and Andriod packages do not run.
• With the introduction of new system hardening process for ignoring non system agent packages in Andriod Open Source Project (AOSP) 4.3 it is not possible to overwrite the file in later versions. However is the device is running custom ROM or is rooted and running higher versions such as 4.4 or higher than mostly likely it is possible to overwrite the file.
• All the pre AOSP 4.3 versions are exploitable without any additional conditions. In this case it is possible to overwrite any file or package that is installed on the system.

Make sure that your devices have the latest patches and security policies installed onto them. We would also like to thank Imre & folks at exploit db for presenting us with such a beautiful exploit. If you have any queries feel free to write to us at info@securitytheorem.com or simply leave a comment below.

Soruce: https://www.exploit-db.com/exploits/36813/

Malicious Attack with IOS Device Local Storage

In our previous blog post “Pentesting with iPhone without Jailbreak” we gave you an overview of software named iFunbox as well as how to access the local storage of any application. In today’s blog post we shall expand on that and we will show you how to leverage that technique and perform a malicious attack.

Access the local storage of the application (if you want to know how to access it kindly refer to our previous post.)

Image 1 - Applications on the Device

Image 2- Files in Local Storage

Now when an attacker gets access to this local storage he can upload any malicious content into the storage. Also any desired changes to the content of the application can be done. And with the help of the software (ifunbox) we can push the content back into the device. So when a user opens the application the malicious content will also be loaded along with the application. 

Let us take a scenario in which an application stores certain offline webpages for faster loading of its application. Now an attacker who has the access to the local storage can insert malicious JavaScript into these pages and push (use the option “Copy from PC” in the ifunbox) the application back into the phone. Now whenever a user runs that application the JavaScript’s will also run and in this way he can take control of the device. 

Image-3 Java Script is loaded when the application is opened

The above image shows a cross site scripting attack we performed on an application by exploiting application's local storage. The interesting thing here is that all the applications store something in local storage i.e. offline pages, images, sensitive data etc. Hence there is lot for an attacker to exploit. Also one might think that in terms of security the device is pin locked and fingerprint locked but sadly these attacks would even work if the device was protected with such security mechanisms.

To curb such attacks the most important thing one could do to safe guard would be “Keep your phone with you at all times ;-)” .

Note:- All the changes are to be made outside the  ".app" folder.

Pentesting Iphone without “Jailbreak”

I would like to thank everyone for appreciating our first blog post and sending us positive feedback. As promised in the previous blog here we shall discuss a step by step guide on pentesting an iPhone without jail breaking the device. Now going straight to business following are the things that you shall need before performing these steps.

• An Apple Device(iPod, iPhone, iPad)
• A Computer
• Itunes installed on the computer
• Device drivers installed
• USB cable to connect the device
• iFunBox application installed on the computer (http://www.i-funbox.com/)

Before moving ahead I would like to thank the Team at “iFunBox” for creating such a wonderful application.

Moving ahead are the steps:

Step-1

• Connect your apple device to desired computer/machine
• After connecting the device open the iFunBox application on the machine

If the device is properly attached and the drivers are installed the ifunbox application will show the device along with its name. In this case we are using “Ipad2”.

The left hand side panel will show all the applications which are installed on the device. Also one of the things to notice is if the device is not Jail Broken then after the device name it will show “Jailed”. The image below will give you an clear idea about it.

Step-2

• From the list of applications select the application which you want to pentest.
• Right Click on that application and select the option copy to my PC.

Step-3

• After selecting the option the files of the respective application will be copied locally to the desired location.
• And we are ready to test the application.

All this data can be analyzed with various available tools such a SQL lite browser.

Note-:  In an Iphone application unlike Andriod there is no such manifest file which will give information about the permissions that have been granted/taken by an installed application Now this is a very trivial information if known can be very useful .Now to get this answer Ifunbox has an inbuilt feature which will allow us to get these answers. One just needs to right click on the application and an option of “App inspection” will appear.  On clicking that the above said outcome will be presented. Below are the images for the same to give you a better understanding.

The above images show the permissions which each application has been given.

So here we conclude this topic and we hope you find this information useful. Looking forward to receive feedback from all of you.

P.S. – Our next blog post will be a new IOS exploit ;-) (more details in the next blog-post)

Pentesting android without “Root”

Over the past year the number of mobile applications that we have been pentesting  are on the rise and it certainly seems that the future is going towards mobile technology. During the penetration testing one of the prerequisites that we faced was to “Root” the device in order to test certain local storage features and as well key features of an application. Rooting a device can turn out to be to a daunting task itself (am sure many of you would agree to this) especially if you are new to this field or if you are running the latest version of an operating system for e.g. A device running on Kitkat 4.4.2 and for many other such reasons it was turning out to be a difficult task.

Hence we at security theorem decided to get our hands dirty and find a way around this. And  Taadaaaaa….. we certainly found a solution for this and we are happy to share this with the community. Below is a step by step guide on how to perform penetration testing without rooting:

Note: - Lot of applications these days have Mobile Device Management(MDM) systems built into them which check for the safety of the application if the device is “Rooted” or not. If the device is found to be “Rooted” then the application would not install/function properly. In such scenario this method of penetration testing becomes extremely useful and gives successful output.

Things you will need :

• An Andriod device
• A Computer
• USB Cable
• Device Drivers installed on the pc
• ADB installed on the pc. ( if you do not have ADB you can find it at ‎http://forum.xda-developers.com/showthread.php?t=1474956 )
• Andriod Backup Extractor (http://sourceforge.net/projects/adbextractor/files/ )

I hope now you have all the above things in place, so here we go :

Step-1

Connect the device to the computer & Turn on USB debugging from the device settings

Open Command prompt and type the following command : adb devices

If the device is correctly attached and drivers are installed then you shall see the result as above. The above image gives us a confirmation of our device being attached.

Step-2

In this step we shall find the package (Application) that we want to test.

Enter the command : adb shell pm list packages

This will list all the applications that are installed on the device and from this list we can pick out desired package.

Step-3

Now backup the application that is needed to be tested

Enter the following command : adb backup -noapk  com.android.providers.settings

It should be noted that  “com.andriod.providers.settings ” has to be replaced by the name of the application which we want to test.

After the command the below screen will appear on your device. Select the option “Back up my data”

Here you can also backup your data in encrypted form by giving a password.  The backup shall be created in the same directory with “.ab” extension.



Step-4

Now with the help of ADB extractor we shall extract our backup file.
Apply the following command to the “backup.ab” file : java -jar abe.jar info backup.ab [password]
It should be noted that if a password was given at the time of backup it should be mentioned in the above command.



Step-5

The file which is now generated is not in readable format hence shall now unpack our backup file
Enter the following command :  java -jar abe.jar unpack backup.ab  backup.zip [password]



The image below shows the zip file being created.



Now we can unzip the file to view it contents.

The images below show the content of the unzipped files.
These files can be analyzed through various pentesting tools such as sql lite browser.
In our next series of post we shall be talking about how to pentest an Iphone Application without jail breaking the device.
Hope you found this useful and you can leave your comments or suggests down below or you can reach us at info@securitytheorem.com for any queries.