Monday, July 21, 2008

Computer Crimes: PHISHING FOR LAWYERS

I believe that Lawyers or Judges that are involved in this activity must have root knowledge on computer science. It is not necessary to actually study computer systems as a career, but it is important to have basic knowledge on networks, computers, network security and understanding on how certain illegal techniques are used, since the crimes derived from these areas are of penal type in those countries that discriminate civil crimes from penal crimes.

Nowadays, in our daily life, almost everything that surrounds us is closely related to Internet, which is the network of networks. Computers, cell phones, and even home appliances are, in most cases, factory set and directly tied to the Internet.

Along with the technological evolution in these last decades, white collar criminals have also kept themselves updated. Some of these people keep up with the pace of technology because they just like the issue and want to go hand in hand with the technological evolution, but some of them think that crime is profitable and subcontract people from the Underground to carry out their criminal plans.

What is Phishing? Phishing is creating a replica of an existing Web page of a legitimate company to entice a user into submitting personal, financial, or password data. Through this method the Phisher will extract, without consent, information which will be used illegally against the victim carrying out electronic fraud.
There are several ways that an end user arrives at portal that is used for Phishing: Web links, recommendations from other people, or the most common of all, through an electronic mail.

We must understand that computer systems are ruled by 2 basic processes: one that interacts with the user which is the “front-end” and other that processes the incoming data from the front-end which is the “back-end”.
In a Phishing site the website is identical to the original one: its structure, design, and graphics, are replicas of the original. The white collar delinquents know that the majority of the users pay more attention to the final aspect of a website but are unaware of the other processes that take place in the background. Although the site is an identical copy of the original one, the fake one has a code inserted that takes the data needed by the Phisher which will allow him to carry out his objective: attaining a none authorized access to crucial information and afterwards obtain a benefit using that information. If the false site is a of an online-bank system, which is most common in the network of networks, the final purpose is the transference of the users funds from his account to the Phishers account.

The theme used in the website used for Phishing depends on its creator, his final intention and what he’s trying to achieve. The most common fake sites are usually: online-banks, electronic mail systems and pay systems. If it is online-bank as mentioned before, the final mission is the transference of the victim’s funds (money); if the objective is electronic mail it is to obtain non authorized access to their email systems; if it’s a pay site the objective it is to obtain this service for free.
Now we’ll see how a Phisher works the fake site, ground up. The following example is based on getting an e-mail sent by a Phisher.

When you receive an e-mail inviting you to go to a website created by a Phisher, as mentioned before, it will look exactly the same as the official one. For example, let’s suppose that the Phisher is going to commit electronic fraud extracting money from your bank account. The first thing that the Phisher will do is to find out the e-mail address that the bank uses to get in touch with you. The Phisher will then send an e-mail which will simulate one being sent from your bank, for example: management@online-bank.com This is obviously done with the intention of leading you to believe that the e-mail is actually being sent by the bank.

Generally the e-mail will state any reason that will seem important enough to activate a link included in the text of the e-mail, which simulates the real bank’s link, such as https://secure.online-bank.com/login making you believe that you are getting into the bank’s website.

In the following example you will see how to create a replica (false website) of a real website:

1.- Go to any website that require a login and password to get in. In this case we’ll use Google.



2.- While you’re on the website click on it and open the file menu in you browser, choose save as



3.- In the window we place any name and type of document.




4.- As you have seen, having accomplished the previous steps the Phisher now has easily obtained an exact replica of a website which will supersede the original one. The next thing that the Phisher will do is modify and insert a programming code in the false website so when the user of this site submits the information it will be obtained by the Phisher and be used by him to his convenience.

What has been shown is considered by security experts a very basic form of Phishing, since there are techniques that are used to make the Phishing more efficient and taken to a higher technological level. Some of these techniques are:

-Pharming: Consists in attacking the DNS. This technique will be fully explained in an upcoming report.
-Infecting the browser with ActiveX controllers so when the end user gets into a real website an iframe will supplant the original one replacing the data input fields with ones used by the Phisher.

See the Video of how to make a phishing:
http://blip.tv/file/1107622

Every country has its own laws to sanction this type of crime, but what is important is that we as lawyers see how its done and how it works in order to pinpoint how this illegal criminal conduct fits into our laws.

Laws in Venezuela

In Venezuela there is a law that applies to computer crimes. In the 2nd article of this law sixteen (16) concepts have been defined which go from hardware and software, up to information technology.
In some of the articles of this law Phishing is clearly defined:

Articles 6 and 9: These articles point out unauthorized access to a computer system.

Article 7: This article describes system sabotage. If the Phishing is done with Pharming, this means that the DNS protocol is being modified (this causes that when a domain.com is typed out is goes to a specified server. We’ll see this later on).

Article 10: This article refers to contracting services from someone to construct the structure that will enable him to carry out a crime through Phishing. The person that hires is considered responsible of committing a technological crime.

Article 11: This article describes what is referred to as computer espionage. When a person gets into a computer system and accesses someone’s private information using a login and password, without due authorization, and just and because he is solely accessing that data illegally, it is considered that espionage is being committed.

Article 12: This article describes document falsification. Since Phishing is the falsification of a website, it clearly fits into this article.

Article 13: This article has to do with theft. It is understood that the final goal of Phishing is obtaining money, getting some type of service for free, etc.., which is consequently theft.

Article 14: This article talks about fraud. As we have seen all along, Phishing is electronic fraud and perfectly fits into this article.



PHISHING PARA JUECES Y ABOGADOS

Todo Abogado o Juez que se dedique a esta materia, debe tener conocimiento sobre la informática. No es que sea necesario estudiar formalmente Sistemas o alguna carrera relacionada, pero si estar en conocimiento sobre de redes y seguridad informática ya que de allí se derivan los delitos de tipo penal (hablando para aquellos países que distinguen el delito civil del delito penal http://es.wikipedia.org/wiki/Delito).

Casi todo lo que nos rodea, en nuestra vida cotidiana, se relaciona con Internet, que en sí, es la red de redes. Computadores, celulares y hasta algunos electrodomésticos, traen de fábrica algo que los vincula al Internet. Paralelamente a la evolución tecnológica de estas últimas décadas, los delincuentes de cuello blanco también se han visto en la necesidad de evolucionar y mantenerse actualizados, sea por que el tema les interesa y se dedican a ir de la mano con el avance de la tecnológica o piensan que el delito es rentable y subcontratan personas del Underground para llevar a cabo sus planes.

¿Qué es el Phishing? Phishing no es más que un fraude electrónico que consiste en la unión de 2 técnicas:

• Falsificación de un sitio web (web spoofing) y
• Falsificación de un correo electrónico (e-mail spoof).

Hay varias maneras de llegar a un portal que actúa como Phishing (o web spoof):

• Enlaces (links) de webs
• Recomendaciones de personas
• Correos electrónicos. El más común de todos.

Para comenzar, debemos entender que los sistemas informáticos se rigen por dos (2) procesos básicos:

• Front-end: Interactúa con el usuario y
• Back-end: Procesa las entradas desde el front-end.

En una web de Phishing podemos ver que el aspecto del website es idéntico al original: estructura, gráficos, etc. El delincuente de cuello blanco sabe que la mayoría de los usuarios se fijan en el aspecto gráfico pero no están pendientes o entienden los procesos que se llevan detrás. Aunque el sitio sea una copia idéntica a la original, ésta sin embargo tiene insertado códigos que tienen como función tomar los datos necesitados por los Phishers, que son las personas que se dedican a la actividad del Phishing, para llevar a cabo su objetivo. La finalidad y objetivo del Phisher consiste en tener acceso no autorizado a un sistema y después obtener su beneficio cometiendo fraude. Si la falsificación (Phishing) se trata de un sistema de banca-online, que es el más común en la red de redes, su meta final es la obtención de dinero mediante la transferencia de fondos. Para dejar claro el concepto: Phishing es comparable al hecho que alguien le copie la llave de su casa, entre en ella sin su autorización y finalmente lo robe.

La temática, entendiéndose por esto el diseño y aspecto de la página web que actúa como Phishing, va a depender de su creador, de los motivos del Phisher y de lo que pretende obtener. Los motivos más comunes suelen ser:

• Banca on-line: Si se trata de banca-online, el objetivo final es la transferencia de fondos (dinero)
• Correo electrónico: Si se trata de correo electrónico su objetivo es obtener acceso no autorizado a los sistemas de e-mail
• Sitio de servicio de pago: Si su tema, es algún servicio pago el objetivo es obtener el servicio gratis dicho servicio.

Ahora veamos cómo trabaja desde cero el Phisher y a tal efecto se describe el proceso del Phishing que en este caso llega por medio de un correo electrónico, comúnmente conocido como e-mail.

Generalmente, el usuario recibe un e-mail para llevarlo al portal falsificado hecho por un Phisher y el e-mail se parecerá a la de la entidad que intenta simular el Phisher. El siguiente ejemplo de un fraude de banca on-line amplia el concepto

•El banco, en este caso, se llama Banco-online.
•El Phisher hace un estudio de la dirección de correo electrónico que usa el banco para comunicarse con sus clientes, que en este caso es usted.
•El Phisher le envía un e-mail simulando que el remitente de la cuenta de correo es la del banco, por ejemplo: gerencia@banco-online.com. y logra engañarlo. Usted piensa y acepta que el e-mail realmente proviene de su entidad bancaria.
•El contenido del e-mail dirá cualquier motivo por el cual el supuesto banco está enviando ese e-mail y se adjuntará un hipervínculo (link), en el texto, que simulara el link de su banco, por ejemplo: https://secure.banco-online.com/login
•Usted, creyendo que este es el link autentico del banco hace click sobre él, iniciando la sesión, pero…al hacer click en el link, éste lo enviara a una página como: http://200.11.11.11/login con la finalidad de que crea que es el sitio web oficial y autentico de su banco o servicio. ¿Dónde entro?
Entro en la página falsificada creada por el Phisher y a partir de ese momento usted le va a suministrar todos los datos que necesita el Phisher para finalmente estafarlo. En el inicio de sesión usted le suministra el login (usuario) y el password (clave). En otras palabras, usted le da al Phisher la llave de entrada y acceso pleno a su cuenta bancaria.
•Resultado: Lo estafaron. El Phisher transfiere los fondos de su cuenta (su dinero) a otra cuenta como si usted mismo lo hubiera hecho.
Para hacer la réplica del sitio objetivo, o sea de una página web, basta solo con que haga la siguiente prueba:

• Ubique cualquier sitio que pida algún inicio de sesión, puede probar con un sistema de e-mail por ejemplo
• Estando en el website, en el explorador abra el menú archivo y seleccione guardar.

Efectué los siguientes pasos para ver lo simple que es hacer la replica de la página.

1.- Abra el website: www.gmail.com



2.- Haga click en la página y posteriormente seleccione guardar como…



3.- En la ventana colocamos cualquier nombre y tipo como que se muestra en el gráfico.



Ver video de como se hace un phishing:
http://blip.tv/file/1107622

Con estos tres (3) pasos el Phisher obtiene de forma sencilla la estructura grafica para hacer idéntico su sitio, al sitio que desea suplantar. Ahora solo tiene que modificar el código para que cuando un usuario coloque sus datos y presioné aceptar, los datos suministrados por éste le sean enviados y así podrá usarlos posteriormente.

Los expertos en seguridad le dirían que este es un Phishing básico, ya hay técnicas que lo pueden hacer más eficiente llevándolo a un nivel más sofisticado empleando:

• Técnicas de pharming (atacar los DNS, el pharming se describirá en el siguiente articulo).
• Infectar el Navegador del usuario con controladores ActiveX para que cuando entre a la web real sobre ponga un iframe en el lugar de los campos de inicio de sesión originales.

Cada país tiene su respectiva ley que sanciona este tipo de delito. Lo importante es que como abogados veamos como el delito se hace y como funciona, para poder entender este tipo de conducta criminal y en que parte de nuestro sistema legal encaja.

En Venezuela existe la Ley contra Delitos Informáticos, y en el artículo 2 de esta ley se identifican dieciséis (16) conceptos informáticos que abarcan desde hardware (el equipo físico), software (aplicaciones), tecnología de información y otros.

Podemos observar en varios artículos cómo encaja el Phishing.

Artículos 6 y 9: Señalan el acceso indebido de personas que sin tener la debida autorización obtengan acceso a un sistema. El objetivo principal del Phishing es la obtención del acceso SIN permiso de la otra persona.

El artículo 7: Se refiere al sabotaje de sistemas. Si el Phishing trabaja con técnicas de pharming esto significa que se está modificando el funcionamiento del protocolo DNS que es el responsable de hacer que cuando se escribe dominio.com se vaya a un servidor determinado en Internet (esto se explicará mas adelante).

El artículo 10: Se refiere a la prestación de servicio. Si el delincuente de cuello blanco contrata a otra persona para que le haga toda la infraestructura para hacer el Phishing, esa persona está cometiendo un delito informático.

El artículo 11: Se refiere al espionaje informático. El delincuente de cuello blanco, al tener acceso a los datos críticos de un usuario, que son esencialmente el nombre de usuario y la clave, tendrá acceso SIN restricciones para entrar al sistema verdadero del usuario y su vez acceso a toda la data o información del usuario. Este artículo establece que con el solo hecho de obtener indebidamente información de un usuario se está cometiendo el delito de espionaje informático.

El artículo 12: Se refiere a la falsificación de documentos. En esto no hay mucho que ahondar, siendo que el Phishing es precisamente la falsificación de un website y que claramente encaja en este articulo.

El artículo 13: Se refiere al hurto. Corresponde perfectamente con los objetivos finales de un Phishing que son la obtención de dinero, obtención gratuita de un servicio, etc.. Estos actos son sancionados en este artículo.

El artículo 14: Se refiere al fraude. Al igual que el artículo anterior todas las características principales de un Phishing (manipulación, inserción de instrucciones falsas, etc.) encajan perfectamente en este artículo.

Saturday, June 14, 2008

XSS Attacks and The Implications in Financial Applications

Inline security of web applications and those of desktop applications developed to interact using third-party web plugins has increased the level of controls that should be in place. Apart from injection attacks (SQL injection) there is another attack vector becoming more clearer called 'XSS' or 'Cross Site Scripting'. In basics this attack vector has three main divisions for itself:

1. DOM-based XSS
DOM-based XSS usually works on victim local machine as soon as malicious website will be visited.

2. Non-Persistent
Non-Persistent XSS work with the crafted code/URL being executed to generate the dynamic page with attacker's choice of code. This happens when there is no sanitization of a user input (i.e. search engines). This type of XSS attack works as far as the crafted URL with pre-defined code get executed by victim browser.

3. Persistent
Persistent XSS permanently stays on the malicious website, waiting to be executed on the victim machine. It can take a form of a worm or any other malware served to its visitors.

Affect on Financial Applications
From practical point of view, it is possible to successfully steal the user's bank cookies and get over the session in one way or another. There is another way around with similar approach of transfering the $$amount from exisiting authenticated user session using crafted URL (if the bank allows those transfers without any pre-confirmation screen).





In another scenario, an attacker can demonstrate the XSS tunnelling through the use of XSS-Shell tool. It allows an attacker to create a XSS Channel between a victim and an attacker. By referring the XSS-Shell using the injected javascript code, the attacker can easily control over the victim's browser (requests & responses through a XSS Channel).
For more info: http://www.portcullis-security.com/tools/free/xssshell-xsstunnell.zip


A sample screenshot taken from "xssed.com" shows the major commercial and Government organizations websites are affected under this threat. Although, it could only be a few listed there but more can be known as soon as Web Pen-Testing is progressing.

Remediation Schemes
XSS and other injection attacks can be filtered at application layer by following some tactics as below:

-Sanitizing the user input for malicious characters.
-To make sure that web application return user values using HTML entities (instead of tags) and only after checking for malicious code.
-Using a WAF technology (Web Application Firewalls) like 'ModSecurity'.

Friday, April 25, 2008

Malware Analysis Tools and Techniques


Apart from what guidelines have been published in various books and articles. My this post will summarize the overall manual and automated techniques to simulate and test the samples of malwares collected and their behavioral activities. To be noted that a "Malware" could be delivered in the form of trojan, virus or worm.

Manual Toolset
These tools require the collaboration of other toolset used in conjunction, to support depth analysis of a malware.

Foundstone BINTEXT
Malzilla (Analyzing Web-Based Malwares - JavaScript/iFrame)
HTTP Proxy Debuggers (Paros, WebScarab)
Nepenthes
iDefense SysAnalyzer, HookExplorer and MAP (Malcode Analyst Pack)
RegShot
SysInternals Tools
PEiD Tool (Very important to detect packers/compilers/cryptors)
UPX
FireBug
OllyDbg
WinDbg
GDB GNU (Linux)
OllyDump
OllyScript
SoftICE (Reversing)
IDA Pro (Reversing)
Salamander Decompiler (.NET Applications)
Reflector.Net Tool
DaFixer's DeDe (Delphi)
Backerstreet.com REC
HeavenTools PE Explorer
HijackThis

Automated Online Tools
These online submission services automatically analyze the malware in a very restricted environment(simulate) and record their activites and produce results on the basis of various Anti-Virus/Malware detection.

CWSandbox.org
ThreatExpert.com
VirusScan.jotti.org
Norman.com/microsites/nsic/
Malwareinfo.org
VirusTotal.com
VirScan.org

Wednesday, April 16, 2008

Digital Forensics: An Investigator Toolkit


A world of computer forensics has extremely gone under rapid changes for laws and regulations concerning the professionals conducting investigations in day to day basis. Inputting strict jurisdiction for processing the corporate crime investigation has opened new debates in between attackers world (more advanced malicious adversary making it harder to get track down applying anti-forensic techniques) and forensics investigators. As I have mentioned previously to post forensic related tools under their defined categories for the ease of forensics practices. Below is a list of tools that can be used by a forensics examiner during the investigation.

File Analysis
SurfRecon LE rapid image analysis tool
truss
ltrace
xtrace
ktrace
Strings (Download the program strings.exe from http://www.microsoft.com/technet/sysinternals/utilities/Strings.mspx)
Valgrind
Galleta
Pasco (by Foundstone)
Rifiuti
yim2text
InCtrl5
Hachoir
UnxUtils
Cygwin
GnuWin32
P2P Marshal

Disk Analysis Tools
PC-3000
LINReS
SMART (by ASR Data)
Macintosh Forensic Software (BlackBag Technologies, Inc.)
MacForensicsLab
EMail Detective - Forensic Software Tool
EnCase (by Guidance Software) - Most Recommended
Sysinternals Monitoring Tools (Regmon,Filemon and more.)
FBI tool (Nuix Pty Ltd)
Forensic Toolkit (FTK) (by AccessData)
ILook Investigator (Elliot Spencer and U.S. Dept of Treasury)
OnLineDFS
Safeback
X-Ways Forensics
Prodiscover
AFFLIB
Autopsy
foremost
FTimes
Scalpel
Sleuthkit
Zeitline (Forensic timeline editor)
P2 Enterprise Edition (by Paraben)
LiveWire Investigator 2008
Pathways

Metadata Extraction Tools
antiword
catdoc
PuriFile
jhead
laola
vinetto
word2x
wvWare
xpdf
Metadata Assistant
Hachoir-metadata (Hachoir project)

Memory Imaging Tools
Firewire (http://www.storm.net.nz/projects/16)
Tribble PCI Card
CoPilot
Windows Memory Forensic Toolkit (WMFT)
Idetect (Linux)
dd (Linux)

PDA Forensics
Paraben PDA Seizure
Paraben PDA Seizure Toolbox
PDD

Cell Phone Forensics
BitPIM
DataPilot Secure View
GSM .XRY
Fernico ZRT
ForensicMobile
MOBILedit
Oxygen PM II
Paraben's Device Seizure
TULP2G

SIM Card Forensics
ForensicSIM
SIMCon

Preservation Tools
Paraben StrongHold Bag
Paraben StrongHold Tent

Hex Editors
biew
hexdump
WinHex
Hex Workshop

Forensics Live CDs
Helix
SNARL
DEFT Linux
Knoppix STD
Recovery Is Possible - RIP from Tux.org
Stagos FSE

Other Essential Tools
VMware Player
VMware Server
Webtracer
The Onion Router (TOR)
Live View
Parallels VM
Microsoft Virtual PC


Being an excellent investigator it is however extraneous to follow-up beyond these toolset and perform some manual operations on different aspects/dimensions of examination. Keeping in mind those of anti-forensics techniques used by attacker to aid towards hiding their tracks could be more beneficial. As this is a known fact that to prosecute the right person, one should think wisely as of what malicious adversary had done step by step. Remember, in any case you should not modify or alter the original preserved evidence.




En el mundo de la informática forense ocurren cambios muy rápidos debido a las leyes y regulaciones concernientes a la conducta de los profesionales que llevan la investigación día a día. Entrando en la jurisdicción del procesamiento de una investigación del crimen corporativo, se han abierto nuevos debates entre el mundo de los atacantes y el de los investigadores forenses. Como se dijo antes en unos de nuestros post, las herramientas según su categoría para hacer más fácil la practica forense.
Debajo está una lista de las herramientas que se pueden utilizar durante la investigación.

Analisis de archivos:
SurfRecon LE
truss
ltrace
xtrace
ktrace
Strings
Valgrind
Galleta
Pasco (by Foundstone)
Rifiuti
yim2text
InCtrl5
Hachoir
UnxUtils
Cygwin
GnuWin32
P2P Marshal

Analisis de Discos:
PC-3000
LINReS
SMART (by ASR Data)
Macintosh Forensic Software (BlackBag Technologies, Inc.)
MacForensicsLab
EMail Detective - Forensic Software Tool
EnCase (by Guidance Software) - Most Recommended
Sysinternals Monitoring Tools (Regmon,Filemon and more.)
FBI tool (Nuix Pty Ltd)
Forensic Toolkit (FTK) (by AccessData)
ILook Investigator (Elliot Spencer and U.S. Dept of Treasury)
OnLineDFS
Safeback
X-Ways Forensics
Prodiscover
AFFLIB
Autopsy
foremost
FTimes
Scalpel
Sleuthkit
Zeitline (Forensic timeline editor)
P2 Enterprise Edition (by Paraben)
LiveWire Investigator 2008
Pathways

Extraccion de Metadata:
antiword
catdoc
PuriFile
jhead
laola
vinetto
word2x
wvWare
xpdf
Metadata Assistant
Hachoir-metadata (Hachoir project)

Herramientas para crear imagenes de la Memoria:
Firewire (http://www.storm.net.nz/projects/16)
Tribble PCI Card
CoPilot
Windows Memory Forensic Toolkit (WMFT)
Idetect (Linux)
dd (Linux)

Herramientas para PDA:
Paraben PDA Seizure
Paraben PDA Seizure Toolbox
PDD

Herramientas para celulares:
BitPIM
DataPilot Secure View
GSM .XRY
Fernico ZRT
ForensicMobile
MOBILedit
Oxygen PM II
Paraben's Device Seizure
TULP2G

Herramientas para SIM Card:
ForensicSIM
SIMCon

Herramientas para Preservacion:
Paraben StrongHold Bag
Paraben StrongHold Tent

Editores Hex:
biew
hexdump
WinHex
Hex Workshop

Live CDs:
Helix
SNARL
DEFT Linux
Knoppix STD
Recovery Is Possible - RIP from Tux.org
Stagos FSE

Y otras herramientas esenciales:
VMware Player
VMware Server
Webtracer
The Onion Router (TOR)
Live View
Parallels VM
Microsoft Virtual PC

Debes mantener en mente que existen técnicas anti-forenses utilizadas por los atacantes para ayudar a ocultarse y ser más beneficioso para ellos. Como este es un hecho conocido y para atrapar a la persona correcta uno debe pensar como ella, tratando de recrear paso por paso. Recuerda, en ningún caso debes modificar o alterar la data original.

Traducido por: Rafael, Alfredo, Ali (www.ethical-hacker.net)

Sunday, April 13, 2008

Initial Steps in Computer Forensics

Few weeks back, I followed SecurityFocus mailings and response to one of my colleagues emails concerning "Computer Forensics" investigation. Here it is what I defined him initally for copying the HDD to preserve the master record of an evidence. In computer forensics, it is a first step to aquire/save the evidence from any modifications made either by investigator itself or any other entity. The best way of dealing with such cases is:

1. Power Down the system (if applicable for removable storage media)
2. Remove any portable storage media and look if you can remove HDD as well.
3. Record necessary BIOS information.
4. Make an image of the storage media.
- dd (Under Linux Platform)
- EnCase (For Win32)
- SMART from ASRData
5. Verify the integrity of Data collected using MD5 Checksum tool.

Just be sure about the proper documents and legal procedures to be followed under any investigation you are on. By following the steps, you are assuring the Chain of Custody for the required evidence without any modifications noted.

Some useful Metadata Analyzer tools can help in finding hidden "meta data" inside number of types of documents(PDF, DOC, XLS etc)

-PuriFile (http://www.purifile.com)
-Inforenz Forager (http://www.inforenz.com/software/index.html)
-Metadata Analysis and cleanup (http://www.payneconsulting.com)
-wwWare (http://wvware.sourceforge.net)

I will be posting the analog of Forensics Analysis Tools same as what I did for "Penetration Testing Framework" very soon, so keep your eyes on it.



Semanas atras, siguiendo la lista de SecurityFocus y en respuesta a un email de un colega concerniente a investigación de “Computacion Forense”. Aquí es lo que el define inicialmente como copiar el disco duro para conservar el registro inicial de una evidencia. En la computación forense, el primer paso es adquirir (hacer una copia) y guardar la evidencia (el hdd original) para evitar cualquiera modificación que pudiera hacer después el investigador. La mejor manera de hace esto es:

1. Apagar el sistema (Si aplica remover los dispositivos extraíbles)
2. Remueve cualquier dispositivo extraíble y mira si puedes remover el disco duro también
3. Registra la información necesaria del BIOS.
4. Realiza una imagen de los dispositivos.
- dd (Linux)
- EnCase (Win32)
- SMART de ASRData
5. Verifica la integridad de la data usando una herramienta de chequeo MD5.

Para estar seguro de la documentación adecuada y procedimientos legales que sigas bajo una investigación te necesitas asegurar la cadena de custodia y tomar nota de cualquiera modificación que se realice.

Algunas herramientas analizadoras de Metadata pueden ayudarte a buscar “meta data” escondida dentro de varios tipos de documentos (PDF, DOC, XLS etc)

-PuriFile (http://www.purifile.com)
-Inforenz Forager (http://www.inforenz.com/software/index.html)
-Metadata Analysis and cleanup (http://www.payneconsulting.com)
-wwWare (http://wvware.sourceforge.net)

Estaremos posteando la analogía del análisis forense muy pronto, está pendiente…

Traducido por: Rafael, Alfredo, Ali (www.ethical-hacker.net)

Wednesday, April 9, 2008

Internet Applications: A Local Memory Enumeration To Find Password

From the last few years we have noticed a major progress in developing security life cycle of various business and non-business applications. But does it really enhanced the security of how the application should behave locally? On the other hand, these application developers sometimes left/forget a small glitch of vulnerability in their application which could cause a major loss on the client side including "a senstive information being disclosed". As all of we know that when an application runs, it take some part of a memory which is used for application processing in various contexts. Internet applications such as MSN Messenger, Yahoo, ICQ and more use the memory in the same way but at some point they left the user 'Passwords' open to an attacker.

A malicious adversary or attacker having local access to the system (either remotely or physically) can dump the primary memory of a particular application and gain access to private information like Passwords presented in clear text. Lets take a quick look for MSN Messenger v8.x using a Forensics Tool called "X-Ways Forensics". Although the same could be done using WinHex or similar editors.


As shown in the screenshot, load the 'Primary Memory' chunk of an application into X-Ways tool. This can be easily accomplish by going into Tools -> Open RAM section or simply press Alt+F9.

Now once inside the memory area if you try to search for "Password" ASCII keyword

using Search -> Find Text (Ctrl+F) menu OR search for "OFFSET:0333B585" address in the memory using Position -> Go To Offset (Alt+G) menu. You will find something similar as shown in the second screenshot. You will notice something like:

---------------------------
Version><ps:UIVersion>1</ps:UIVersion><ps:Cookies></ps:Cookies><ps:RequestParams>AQAAAAIAAABsYwQAAAAxMDMz</ps:Request
Params></ps:AuthInfo><wsse:Security><wsse:UsernameToken Id="user"><wsse:Username>xxxxx@xxxxx.com
</wsse:Username><wsse:Password>xxxxxxxxxxxx</wsse:Password></wsse:UsernameToken>

---------------------------

Here exist the sensitive information disclosure/privacy exposure vulnerability which is categorised by MITRE under (CWE ID# 316) as "Plaintext Storage in Memory". Although almost all versions of Microsoft MSN Messenger are exposed to this problem. From my aspect, a public advisory for such vulnerabilty is considered countless for thousands of internet applications folding same behavior in one way or another.

Countermeasures towards this kind of local information disclosure can be assisted using proper cryptographic functions to store and process sensitive information securely from an application memory. However, this can be considered as a design flaw in the application as there is no security policy defined prior to development stage for storing such a sensitive user data.

Monday, April 7, 2008

On the fly: Web Application Security Auditing


If anybody might have heard about the FireCAT (Firefox Auditing Tools - my favorite) before, then this article will just extract some of the most useful and attainable tools that are must to use while auditing a web application directly through your browser interaction. Following the standard Web Application Pen-Testing methods and those tools provided under FireCAT will evaluate security level of most web applications.

An instant use of FireCAT Tools add a wide range of extensions to your browser to follow-up from Top-to-Bottom to find as much information as possible about your target. Under my experience some of the useful tools are mention below:

Information Gathering
ActiveWhois, DomainFinder, RouterStatus(more useful if you're local/remote network admin), Header Spy, Header Monitor, People Search, Who is this Person, Google Advanced Dorks, SpiderZilla, Google Site Indexer(very useful).

Web Relay/Proxy Auditors
SwitchProxy, FoxyProxy

Security Auditing
Tamper Data(tampering with live web-forms data), LiveHTTPHeaders, User Agent Switcher, Add'n'Edit Cookies, Cookies Swap, AllCookies, DOM Inspector(specifically for developers), Chickenfoot, Poster, XSS-Me and SQL Inject-Me(excellent toolset).

Network Auditing Utilities
FireFTP, FireKeeper(WIDS) ffsniff, Oracle OraDB Error Code Look-up, SQL Connection, MySQL Client, JiWire(Wi-Fi)

Miscellaneous
GreaseMonkey, File Encrypter, Net-force Tools, Refspoof, MDHash Tool, Malware Scanner(Dr.Web), Logs(Enhanced History Manager)

While using any combinition of these tools make a life easier for the Pen-Tester to look for specific vulnerabilities through fuzzing techniques. Although the complete information on extensions available under FireCAT 1.3 release is specified in the screenshot above.

Friday, April 4, 2008

Website Defacements, A Game or Political Agenda? Decide yourself


A fast moving technological grounds, the latest discoveries of new vulnerabilities and the development of 0-day exploit (PoC - Proof of Exploit Code) has proven for years to be the most sophisticated arena on the internet underground. As show in the Press, Media and various Publications that those of hackers or crackers involved in illegal activities get down by U.S marshals or other federal authorities on day to day basis. On the other hand, these federal agents (e.g FBI or Interpol) in turn give leniency to those caught hackers/cracker to help them to invade more into real gang behind those criminals.
(Ref. TJX Data Breach late 2007)

Far from the world's open views about Hacker 'as a computer guru' or 'a cracker' who uses his computer related skills to carried intentional loss to an organization, it is bit clear that some of these activities are being carried out for malicious and non-malicious intents. Having look into one of the famous archived defacements proved out with statistics on various basis,
(Zone-H.org - Statistics report 2005-2007)

From a given report, it is much easier to analyze the specific attack components as
a weakest link in these massive defacements. For instance,
WebServer Technologies: (Apache, IIS)
Operating Systems: (Linux, Windows2003)...and more... as shown in the screenshots.



The main difference which has been identified is a massived dropped down in defacements of Windows-based severs which is now turned back on Linux servers. It is because late in 2003-2004 when most of internet companies and e-Business organizations have decided to switch to Linux OS for their flexibility and security while transacting over the internet. But still if we look into "Top Attack Methods" applied for the last 3 years involved the very first "Misconfiguration". This is the reason that most of system administrators deployed the company's network infrastructure insecurely and push themselves with default installation procedures which turn out BLACKDAY to them when a defacement has been successful. From Web Application's security view, known attack vectors include SQL injection, XSS (Cross-site scripting attacks), File Inclusion attacks (LFI/RFI) and other application controls like authentication, integrity of transaction (eCommerce etc.) and confidentiality.

Getting into real world of defacers gave an insight look of terrible information warfare among various group of hackers. Some of them who hack for fame, some as political activists and some for fun.
(Ref. Video - "Cyberwars" at video.google.com)

What's the reality behind hacking into Pentagon? (U.S Trade secrets or more...) But why they hack them? It is a question remained unanswered for years. As described by media, this could be a cross-border Terrorism issue which lead into facts of cracking the Government systems to get secret information. As shown in above video in Discovery Channel "A 19-year
old boy from Malaysia claim to hold the most dangerous virus still operating under lab mode" iDefense has clearly sighted the dangers of such attack could cause billions of computers shutdown within a matter of seconds.

"This is this thing keeping everyones lungs and lips locked, it is called fear and its seeing a great renaissance."
- The Dresden Dolls

Wednesday, April 2, 2008

Network Penetration Testing Framework: From A-to-Z

A lean towards security assessment or penetration testing starts with numerous steps following number of different or relative operations under each of them. Following are the major steps that would lead into the depth security analysis on the target host or network being penetrated successfully from Information Gathering to Exploitation.

-Information Gathering or Footprinting
(Public database (whois), Netcraft, Telephone directories, Physical Locations, Blogs, Newsgroups)

-
Network Scanning
(Nmap, Unicorn Scan, Scanrand, Superscan)

-
Enumeration & Service Identification
(Netcat, DumpSec, NBTScan, DNS Zone Transfers (nslookup), p0f, NetE, SNMPWalk)

-
Password Cracking
(LC5 (LM/NTLM Hashes), LCP Tool, Cain and Abel (Multi-cracking tool), Passcracking.com (MD5, SHA1, MySQL), THC-Hydra)

-
Vulnerability Assessment
(Tenable Nessus, NeXpose, QualysGaurd, X-Scan, Shadow Security Scanner(SSS), SARA, SAINT, ISS Scanner, eEye Retina, Matta Colossus)

-
Exploitation & Privilege Escalation
(Metasploit Framework, InGuma Toolkit, *nix Local Root Exploits-http://www.linuxrootkit.cn/localroot/, WebShells(like c99/r57shell for PHP and others for ASP,JSP,ASPX,PL) including web-based backdoors, IIS/Apache based privilege escalation tools etc.)

-
Maintaining Access
Rootkits (AFXRootkit, AphexRootkit, FURootkit, hxdef100r, Nuclear-Rootkit, MBR Rootkits)
Trojans (Shark, Nuclear RAT, ProRat, Poison Ivy, Bifrost)
NTFS ADS (Alternative Data Streams to hide data inside another file)
Steganography (Mp3Stego, ImageHide, Camera/Shy)

-
Covering Tracks
(AuditPool, Evidence Eliminator, WinZapper)

NOTE:
Apart from assisting yourself with these tools and their techniques in your labs and understanding their procedures and usage can evaluate a successful penetration test against your chosen target. Beside these tools, there are number of other security auditing tools exists, mentioning all of them is far away from blogging them. But to name some of those
in their relevant categories worth looking:

-
Static Code Analysis
(FindBugs, RATS, CodeSecure, Coverity Prevent, Pixy, SWAAT, MZTools, Fortify, Ounce, Parasoft, Sprajax)

-
Fuzzing Tools
(SPIKE, Sulley, PROTOS, WSFuzzer, Codenomicon, Peach, beSTORM, EFS, ISIC, zzuf, Scratch, LXAPI, antiparser, FileFuzz)

-
Advanced Automated Exploitation
(ImmunitySec Canvas, Argeniss 0day, CoreImpact, GLEG VulnDisco)

-
Web Application & Database PenTesting Tools
(Acunetix Scanner, Watchfire Appscan(IBM), SPI Dynamics WebInspect(HP), NGSSQuirreL, AppDetectivePro, Typhon III, Paros Proxy, BurpSuite, Cenzic Hailstorm, WebScarab, Wapiti, Nikto, w3af)

-
Penetration Testing Methodologies and Assessment Frameworks
(OSSTMM, ISSAF, VulnerabilityAssessment.co.uk)


Vulnerabilities Database Online:

SecurityFocus (http://www.securityfocus.com)
milw0rm (http://www.milw0rm.com)
Packet Storm (http://www.packetstormsecurity.org)
FrSIRT (http://www.frsirt.com)
MITRE Corporation CVE (http://cve.mitre.org)
NIST National Vulnerability Database (http://nvd.nist.gov)
ISS X-Force (http://xforce.iss.net)
CERT vulnerability notes (http://www.kb.cert.org/vuls)




Pruebas de Penetración: De la "A" a la "Z"



Una vía hacia la evaluación de seguridad o la prueba de penetración se inicia con numerosos pasos, siguiendo un número de diferentes operaciones o relativa relación con cada uno de ellos. Los siguientes, son los principales pasos que conduzcan a fondo en el análisis de la seguridad en el blanco o en la red a ser penetrada con éxito desde la obtención de Información a la explotación.

-Obtención de la Información o Footprinting
(Public database (whois), Netcraft, Telephone directories, Physical Locations, Blogs, Newsgroups)

-Escaneando la Network
(Nmap, Unicorn Scan, Scanrand, Superscan)

-Enumeración & Identificación de Servicios
(Netcat, DumpSec, NBTScan, DNS Zone Transfers (nslookup), p0f, NetE, SNMPWalk)

-Password Cracking
(LC5 (LM/NTLM Hashes), LCP Tool, Cain and Abel (Multi-cracking tool), Passcracking.com (MD5, SHA1, MySQL), THC-Hydra)

-Evaluación de Vulnerabilidades
(Tenable Nessus, NeXpose, QualysGaurd, X-Scan, Shadow Security Scanner(SSS), SARA, SAINT, ISS Scanner, eEye Retina, Matta Colossus)

-Explotación & Escalando Privilegios
(Metasploit Framework, InGuma Toolkit, *nix Local Root Exploits-http://www.linuxrootkit.cn/localroot/, WebShells(like c99/r57shell for PHP and others for ASP,JSP,ASPX,PL) including web-based backdoors, IIS/Apache based privilege escalation tools etc.)

-Manteniendo el Acceso
Rootkits (AFXRootkit, AphexRootkit, FURootkit, hxdef100r, Nuclear-Rootkit, MBR Rootkits)
Trojans (Shark, Nuclear RAT, ProRat, Poison Ivy, Bifrost)
NTFS ADS (Alternative Data Streams to hide data inside another file)
Steganography (Mp3Stego, ImageHide, Camera/Shy)

-Cubriendo Rastros
(AuditPool, Evidence Eliminator, WinZapper)

NOTA:
Además de ayudar con estas herramientas y sus técnicas en tu laboratorio y la comprensión de sus procedimientos y el uso, puede evaluar el éxito de la prueba de penetración en su destino elegido. Además de estas herramientas, hay otra serie de herramientas de auditoría de seguridad que existen, mencionar todas ellas está muy lejos. Sin embargo, nombre de algunas de esas en sus correspondientes categorías, vale la pena analizar:

-Análisis de Código
(FindBugs, RATS, CodeSecure, Coverity Prevent, Pixy, SWAAT, MZTools, Fortify, Ounce, Parasoft, Sprajax)

-Herramientas para Fuzzing
(SPIKE, Sulley, PROTOS, WSFuzzer, Codenomicon, Peach, beSTORM, EFS, ISIC, zzuf, Scratch, LXAPI, antiparser, FileFuzz)

-Explotación Automática Avanzada
(ImmunitySec Canvas, Argeniss 0day, CoreImpact, GLEG VulnDisco)

-Herramientas para Prueba de penetración de aplicaciones Web & Base de Datos
(Acunetix Scanner, Watchfire Appscan(IBM), SPI Dynamics WebInspect(HP), NGSSQuirreL, AppDetectivePro, Typhon III, Paros Proxy, BurpSuite, Cenzic Hailstorm, WebScarab, Wapiti, Nikto, w3af)

-Metodologías de Penetración y Evaluación
(OSSTMM, ISSAF, VulnerabilityAssessment.co.uk)

DB de Vulnerabilidades Online:
SecurityFocus (http://www.securityfocus.com)
milw0rm (http://www.milw0rm.com)
Packet Storm (http://www.packetstormsecurity.org)
FrSIRT (http://www.frsirt.com)
MITRE Corporation CVE (http://cve.mitre.org)
NIST National Vulnerability Database (http://nvd.nist.gov)
ISS X-Force (http://xforce.iss.net)
CERT vulnerability notes (http://www.kb.cert.org/vuls)



Translated by: Rafael M and Alfredo G.