Thursday, August 23, 2007

THE CYBERWAR IS COMING, THE CYBERWAR IS COMING

PLEASE NOTE THIS POST IS HIGHLY SARCASTIC

I know I have been absent from blogging post Blackhat and that has lead to a lot of Dave withdrawal by the loyal reader of the Errata Security blog (Hi Mom). I am sorry, I have been working on a project that requires an unbelievable amount of time and attention. The project is almost over so soon regularly scheduled Dave musings will resume. I have to abandon my project temporally to post about the following.

OH. MY. GOD. RUN; do not walk, to your closest store and buy a copy of Wired.
Note: I almost wish I could use a blink tag for that.

There is an article this month’s issue about the cyberwar in Estonia on page 166 written by John Robb. I am almost certain Robb is not the same person who played "porn dealer" in the Nicholas Cage thriller, 8mm. While I am imparting interesting tidbits related to this story in a thinly veiled waste of your time, I have to make a revelation: for the first few months I had read about this story, I kept thinking that it was the country from the Dilbert comic strip. Funny enough it turns out that the country Dilbert often mentions is Elbonia. I am embarrassed. Even red-faced I feel good knowing that if I have offended anyone with my lack of geography knowledge, they can take comfort in knowing that my therapist and Microsoft Word’s Spelling & Grammar feature both agree I am functionally retarded.

Estonia is a hot conversation topic amongst the security crowd recently due to a DDoS that reportedly crippled their government. The topic even made its way to Vegas in the form of a Blackhat speech given by Gadi Evron. In an attempt to depict the massive attack by bots on Estonia, a nifty graphic accompanies the story. The graphic is a world map with lots of multicolored lines showing a bot attack in much the same way Wargames showed ICMB launches. That is it; mom-and-pop wired reader will now equate bot attacks to something like a nuclear missile launch. Here is Kevin Poulsen, also of Wired, writing about the DDoS attack.

UPDATE: The bot attack graphic has been found. From the Wired online story:


Bask in the glory that is the begining of the Cyberwarfare fear! Anybody want to take bets on how quickly similar graphs will show up in marketing materials for security companies? I can hear the sales pitch now, “buy our product or THIS can happen to you”, while sliding a copy of the picture across the desk.

Why am I worried? Becasue if you didn't know better you would think people are dying in the streets with the coverage the DDoS has been given. If I were to ask an average US citizen to look at this picture and tell me what they think about cyberwar I am sure I would get something like:



Ted, 22, Alabama
"You mean someone in Russia can stop from surfing por...err...the hours of the War of 1812 exhibt at my local museum? I sure don't like that. The government should do something about that. We have gone to war for less than that."

Amy, 24, Californa
"Like, I was on the interweb the other day and, like, I got kicked off. I bet it was those bot people going after me trying to get the pictures from my computer. People tell me I look like Paris Hilton, what do you think?"

Tony, 34, New Jersey
"I don't like someone else packets just coming in and out whenever they want. I wanna see them come try that in my neighborhood, I'd give them a dos right upside the head."
Note: I did not actually go ask any average citizens. The above statments are fiction. I did not query average citizens because I fear their replies and a serious case of apathy.
I hope you understnad that my sarcasm is not over the story or its contents but rather what this means for the future. Now that cyberwarfare has hit the mainstream and will surely become the topic of conversations at intellectuals’ cocktail parties, the flood of fear mongering is not far off. Imagine being a fly on the wall at one of insomnia curing parties:
“But Max, there is a CYBERWAR going on. Think of all the children who don't have access to family photos or their vacation itinerary or Ticketmaster. I think we should send relief in the form of iTunes gift cards, which should help ease the burden, some. I mean, it is just as bad as Darfur.”
Note: To get the full effect this statement would need to be in a nasally, high-pitched voice that a mere blogpost just could not convey.
In an effort to provide the feeling of safety to its citizens and because of the overwhelming success of the Terror Warning Level, a cyberattack warning level is not far off. Soon you will overhear people telling their friends “you shouldn’t go on Myspace today, the cyberattack warning level is orangish blue”.

After the warning level sinks in and is on everybody’s browser start page a list of things that all citizens should get and keep in case of a cyberattack. Do not be surprised if man countries issues statements like this:
“The Cyberwarfare sub directorate of the Infrastructure Crisis Avoidance office of Technology Assimilation and Integration Task Force from the Department of Homeland Security (CICATAITFDHS) has just announced the formation of a private company to address the growing concern over cyberwarfare. The newly formed company Unity will provide guidance and assistance to all entities under the name Unity. This governing body of this new company is a consortium of leaders from private industry and public service such as major software vendors, music and movie studios, and the NSA. The first act of Unity is to issues a list for essential things to have in the event the fear of a cyberattack on the US becomes a reality.

1. Devices like scissors, axes, or bolt cutters should be kept close to you internet access device. Cut your phone/DSL line in case of an attack.

2. Malware likes Viruses, Trojans, and 3rd party software like browsers and media players will be resistant to modern A/V tools. For this reason be prepared to microwave your hard drive in case an attack is launched or a Mozilla icon is spotted on your desktop.

3. Backup your files accordingly and store them in a safe place. In conjunction with this announcement, the NSA would like to announce they are partially leaving the intelligence community and now offer a secure offsite storage facility, called SafeAtHome, in sunny Maryland. For a nominal fee, all your important documents can be stored in a nuclear bombproof bunker. In no way would the NSA SafeAtHome program serve, as an intelligence source. The first 1,000 subscribers get a free DVD of the first season of the hit Fox show: “24”.

4. Analog radios, flashlights, and batteries need to stay in stock and
working order. The radio is for listening to the Emergency Broadcast System (EBS) for news about the cyberattack. In addition the radios could be, in theory, used to listen to music when your hard drive has been through the microwave process.

5. Duct Tape. You can never have too much Duct Tape.

In closing almost 99% of all successful cyberattacks use pirated software, music, and movies (such as the 20th Century Fox summer blockbuster Live Free or Die hard, available on DVDs soon) as the infection vector for the first wave of attacks. For this reason, consensuses that all pirated materials pose a threat to internet safety. Destruction of offending materials is required. To aid in the process a new tool just became available called Tattle that will help securely delete all unauthorized materials. By using this tool, you are agreeing that all inventoried items will undergo rigor analysis for potential malware by our partners.

In an effort to make the internet a safer place, everybody must cooperate in the above endeavors. If you discover that a person is not adhering to the set standard safety protocol, please report them to 1-800-TELL-ALL."
Of course, I could be wrong. Once Wired writes about it, it is downhill from there. Moreover, the best part is there will be all this fuss of some script kiddy P4cK3t W4rr10r5. Anybody know what time MTV’s “True Life: I’m a bot herder” is starting production?

Sunday, August 12, 2007

SQL injection is surpisingly easy

This Slashdot article talks about how the United Nations website was hacked via an SQL injection bug (as I write this, the defaced web pages have been removed but the SQL injection bug still exists). The article says that the existence of such an easily exploitable bug is "quite surprising to find in such a high profile site".

No, it's not surprising. SQL injection vulnerabilities are all over the Internet, including all over high profile sites. They are so prevalent that I will often do "real-time" hacking. During a presentation, I can find a completely new website and demonstrate that it's (almost certainly) vulnerable to SQL injection in under a minute.

The reason SQL injection works is that whereas most systems separate code and data, SQL combines them together. All a hacker needs to do is include some of his own code with the data he sends to a website, then he can gain control of the website.

Such code often starts with the single quote (') character. SQL interprets this as the boundary between code and data. It assumes that anything following a quote is code that it needs to run. Therefore, you can quickly tell if a website is vulnerable to SQL injection by simply typing a single-quote in the URL or within a field in the webpage. Security professionals inadvertently find such sites all the time because the quote ['] key is right next to the [Enter] key on American Qwerty keyboards. (Curious security professionals make this typing error with unusual frequency :-).

The above article points to the following webpage on the U.N.'s website:

In the picture, hackers have added a single-quote (') to the end of the last field "statID" in the URL. As you can see, the server responds with an SQL error message telling us it attempted to interpret that single-quote as code. Therefore, we can be fairly certain that this site is vulnerable to SQL injection. (Note that we cannot be absolutely certain without successfully hacking the site, but such error messages are 99.9% reliable in determining whether a website is vulnerable).

Let's do some real-time hacking. I went to Google and typed in "allinurl:statID" (using the same field as in the U.N. site). I went to the second result returned by Google, typed the single-quote (') character in the 'statid' field, and was rewarded with the following error message:
OraOLEDB error '80004005'
ORA-01756: quoted string not properly terminated
/app/contents.asp, line 1470


This is why people talk about "Google Hacking" - if you want to find a website to hack with SQL injection, you can use Google to find vulnerable websites for you. Curiously, the vulnerable United Nations website is the seventh result returned by my Google query. There appear to be many other vulnerable sites in the returned results, including one that might give me access to some SCADA systems.

One of the eternal mysteries of hacking is how can it be so easy? Hundreds of thousands of teenagers have the skills to hack these sites. You would therefore expect that such sites would have been hacked already, and once hacked, they would be fixed. Basic economics tells us that easily hacked websites should quickly be removed from the net, leaving only those that are hard to hack. Yet, the evidence says otherwise. I really have no answer to this question.


Links:

Sunday, August 05, 2007

SideJacking with Hamster

NOTE: you can download the program at http://www.erratasec.com/sidejacking.zip; make sure to read the instructions.

Others have done a better job blogging on my Hamster/SideJacking stuff than I could, so I'll just link to their sites: [DarkReading] [Brian Krebs] [tgdaily] [George Ou] (George has screenshots).

This isn't really "new" in theory. Man-in-the-middle on public WiFi's can do this sort of thing. Also, stealing cookies via XSS (Cross Site Scripting) can also do this for the hacker. What makes this interesting is that it's point-and-click easy with a sniffer on WiFi hotspots.

I played around with the "Wall of Sheep" yesterday at DefCon. I was owning more accounts using my tools than everyone else using Dsniff and EtterCap. I spent most of my time hunting for people using HotMail or Yahoo! Mail - I could have gotten a lot more accounts if I focused just on Gmail instead (it's like 20-to-one the ratio of DefCon attendees using Gmail vs. other online e-mail accounts).

I gave out my tools to a bunch of people personally, I'll be officially posting the tools on Monday afternoon to our website. Also, you can do this manually by using a traditional packet-sniffer and a tool like the Edit Cookies add-on for Firefox.

While copying/replaying cookies sounds easy, there are some additional tricks to it that I've found in practice. One trick is that URLs also contain unique identifiers. In order to sidejack a HotMail or Yahoo! Mail connection, you have to know which URL to use. The other is that when starting in the middle of a session, you see the "Cookie:" commands the browser sends to the server, but not the "Set-Cookie:" commands the server sent in the opposite direction. Sometimes things don't work because when I clone cookies sent with the path /aaa/bbb, I won't know that I should also send them with the path /aaa/ccc. I've found that when you gain access to a site, but the access is flaky, if you start browsing around the site, you'll eventually get the correct "Set-Cookie:" from the server, then everything will work correctly.

Sites confirmed safe from SideJacking

Remember that SideJacking only works if it catches a non-SSL cookie. Any site that uses SSL exclusively would be safe. If you would like me to test a site, then please send us an e-mail.

GMAIL
You are unsafe unless you start from something like "https://mail.google.com/mail/". Also, while this secures your Gmail, you may still be vulnerable if you access other Google properties, such as blogspot.com.

SALESFORCE.COM
I think most all their customers are safe from SideJacking. While I have seen unencrypted SalesForce.com connections, the default is to use complete SSL encryption which makes it safe from eavesdropping. If you are worried about this, I suggest you make sure "Require secure connections (https)" set to prevent accidental use of non-SSL. I am frankly impressed by SalesForce.com's commitment to security -- this is far better than any other Web 2.0 application that I've seen. They set the standard that others should follow in order to deal with this problem.

Wednesday, August 01, 2007

Congrats Apple!

Apple has a release an update to the iPhone to fix security problems in advance of the BlackHat conference.

This is a faster response than any other mobile manufacturer. In our experience working in this area, security fixes get lost from the software maker to the device manufacturer to the mobile service provider. None of them wants to own the process, so bugs either don't get fixed, or get fixed late.

In contrast, Apple as set a record for responding to security problems quickly, and proven that their new business model of owning the customer experience (rather than having companies like at&t or Verizon own the experience) is paying off. Wall Street analysts should pay attention to this, it's actually pretty important.

Unfortunately for Apple, hackers aren't really attacking the other phones, so customers don't realize that the smart phone they are using now (based on such platforms as BlackBerry, Symbian, Linux, or Windows Mobile) are just as vulnerable as the iPhone. This is just desserts for Apple, since they've been exploiting the same phenomenon with Windows vs. Mac OS X.

Now if Apple could just be nicer to researchers...