Archive for the 'Security' Category

Open Source Alternatives to PGP Desktop/SDA

PGP Desktop products (Pro/Home) provide a neat set of features for all your email encryption, file and disk encryption needs in one nice package but for a price. However there are open source alternatives that offer similar features, which are more than enough for home and small business users. PGP Desktop offers great set of features for Enterprise customers with server based management and recovery features, but these features are rarely needed in a small business or home environment. The tools presented here have existed for a while but even then the security and small business community seems to gravitate more towards PGP Desktop, this entry is merely a reflection to say that all the features of PGP Desktop are available for free and in open source if your willing to work with 3 well developed applications.

Public Key Email Encryption/Signing/Decryption/Key Management

Read more »

Polymorphic ECMAScript Generator!

JavaScript (in cyrptic speak ECMAScript) worms are becoming increasingly common, so are advances in anti-detection. Heard of polymorphic (code changing) viruses the same concept has been observed in recent worms as well. Detecting polymorphic code is difficult and Gareth Heyes has a nice article on why it is a challenge in javascript. To prove his point he even has a polymorphic javascript code generator on his site.

To sum it up here is a piece of javascript ternary morphed using his tool:

alert(’JS morph XSS’);

eval(((0 < 4 ? ‘a’ : ‘JfwGL’)+(0 < 4 ? ‘l’ : ‘JfwGL’)+(0 < 4 ? ‘e’ : ‘JfwGL’)+(0 < 4 ? ‘r’ : ‘JfwGL’)+(0 < 4 ? ‘t’ : ‘JfwGL’)+(0 < 4 ? ‘(’ : ‘JfwGL’)+(0 < 4 ? ‘\” : ‘JfwGL’)+(0 < 4 ? ‘J’ : ‘JfwGL’)+(0 < 4 ? ‘S’ : ‘JfwGL’)+(0 < 4 ? ‘ ‘ : ‘JfwGL’)+(0 < 4 ? ‘m’ : ‘JfwGL’)+(0 < 4 ? ‘o’ : ‘JfwGL’)+(0 < 4 ? ‘r’ : ‘JfwGL’)+(0 < 4 ? ‘p’ : ‘JfwGL’)+(0 < 4 ? ‘h’ : ‘JfwGL’)+(0 < 4 ? ‘ ‘ : ‘JfwGL’)+(0 < 4 ? ‘X’ : ‘JfwGL’)+(0 < 4 ? ‘S’ : ‘JfwGL’)+(0 < 4 ? ‘S’ : ‘JfwGL’)+(0 < 4 ? ‘\” : ‘JfwGL’)+(0 < 4 ? ‘)’ : ‘JfwGL’)+(0 < 4 ? ‘;’ : ‘JfwGL’)))

Adobe AIR Security

Adobe recently launch of AIR, previously know as Apollo, a cross-platform framework to deploy flash style applications to the desktop and web. The new applications are called RIA’s - Rich Internet Applications. Every time there is a new web offering it is subject to security evaluations by many curious minds, AIR will be no exception. Adobe engineers have released a few resources on the security model of AIR, check them out at “AIR SecurityAIR bubbles up

AIR defines logical containers called “application sandboxes” to limit what the AIR application can access, similar to cross-domain, cross-frame restrictions. Adobe for its part has documentation out to educate developers on do’s-dont’s for good security “Best Security Practices“, lets hope the the RIA developers heed to these. It’s always a classic in the security world to see functionality and first-to-market driving development cycles with security as after thought.

The AIR is out, let the analysis begin! for starters play with SandboxBridges

Setting up a parent-child sandbox relationship

AIR adds the sandboxRoot and documentRoot attributes to the HTML frame and iframe elements. These attributes let you treat application content as if it came from another domain:

Attribute Description
sandboxRoot The URL to use for determining the sandbox and domain in which to place the frame content. The file:, http:, or https: URL schemes must be used.
documentRoot The URL from which to load the frame content. The file:, app:, or app-storage: URL schemes must be used.

UMA FemtoCell Security Concerns

idea1.jpgRecently completed a write up on Unlicenced Mobile Access (UMA) and FemtoCell Security Concerns. It’s available online under the articles section, check it out.

Quick and Dirty Fuzzing

I’m a bit late into the fuzzing game, and recently I was thrown to do few short projects that involved third-party server components. Though tools like sulley and spike produces good results, especially since you can fuzz in depth with several test cases, but if you are short on time and haven’t had a chance to learn to use them, TAOF (The art of fuzzing) is very handy. It’s a GUI fuzzer written in Python, portable to any platform. The tool, being a GUI, is one of those fuzzer that can just unwrap and run. TAOF works as MITM TCP network proxy, point the client to Taof and it forwards the traffic to the server/services in question. Set the fuzzing points, then select the signatures to inject for stack/heap overflows, string overflows, integer overflows, and dictionary attack. Literally Click-Point-Click.

TAOF, by default, may not be as robust as other fuzzers, but you can edit the python source for more signatures. The tool also stops fuzzing when it crashes the service. But that’s when you pull out the big boys like Sulley and Peach, where you can focus on interesting points for more in-depth analysis.

BTW, Peach 2.0 recently came out last November. It no longer require tester to write convoluted Python code. It runs by feeding a XML data definition, then let the Peach cook and create the data mutations.

Top VoIP Vulnerabilities in 2008

Sipera recently announced its list of Top 5 VoIP Vulnerabilities in 2007. A similar more detailed list was also released “Top 9 VoIP Threats And Vulnerabilities” by CMP Channel. Sipera has provided some input to the article so they are essentially the same list with a few more thrown in to make the list Top 9. These VoIP vulnerabilities stated are nothing new and have existed and remain almost the same since VoIP hit mainstream, however its good to release a Top 10 list every year to keep reminding people that it still exists!!

Top 5
Remote eavesdropping
VoIP Hopping
Vishing (Caller ID spoof and identity theft)
Toll fraud
The Skype worm

Read more »

Phishing the Phishers

DIY Phishing kits make it easier for even novice fraudsters to setup phishing sites. These point and click tools have a few variables that need to be configured and a phisher is all set to send spam emails hoping unsuspecting users will follow to their fake financial sites. Some phishing sites also use malware installers like MPack, Zunker which run massive command and control networks. What’s interesting lately is that these phishing/botnet kits have been reported to contain backdoors that silently send all the victims information to the kit’s author. Well the economics of phishing makes it worth to do whatever it takes to get their most prized asset you PII - Personally Identifiable Information.

For some awesome foo on phishing the phishers checkout Nitesh and Billy’s talk at BlackHat Fedral ‘08. You’ll be surprised by what they have to say!!

Secure DLP = endpoint + network

Data leakage concerns have hit all time highs in 2007, a recent survey shows 71% of people fear a remote worker will lose their PII. Enterprises where quick to explorer Data Leakage Protection/Data Loss Prevention (DLP) products since 2003, however the software solutions where still being perfected then. These products seem to be have matured now and have hit main stream Enterprise deployments. Recently I had the opportunity to do security reviews on some of the products in the market. DLP products come in two flavors -
Read more »

OllyDbg as a TCP Proxy with Uhooker

Greetings to one and all…I’m back after a fantastic vacation to India. I was trying to look at interesting things to research about and I bumped across Hernan Ochoa’s blog and an interesting OllyDbg plugin called UHooker (i.e., Universal Hooker). The UHooker is basically a plugin that can allow testers to hook into functions. I used UHooker to effectively fuzz the input to Google Talk by hooking into ws_32.send method and the results seemed interesting initially. The great part is it’s written in Python. There are a few libraries required to get it running effectively, for example, PyWin32 available from sourceforge is one of the libraries required for Python to understand the plugins. Just place the files i.e., proxy.py, server.py, *.cfg, uhooker.dll in the same directory as OllyDbg.exe and you should be able to use the UHooker plugin. The best script that I thought was good from Pen testing perspective was the tcpnet.py that allows you to use Hex Workshop as a TCP proxy that can be used just as other HTTP proxies such as Paros, Burp, WebScarab etc can be used.

Chronology of data breaches and hacking incidents

The good folks at privacyrights.org maintain a comprehensive list of data breaches starting from 2005, you’ll be surprised to see there are 10 reported incidents in the first 11 days of 2008. At the end of the page there is an interesting figure:

TOTAL number of records containing sensitive personal information
involved in security breaches in the U.S. 217,393,476

Folks at the Web Application Security Consortium maintain The Web Hacking Incidents Database a list dedicated to reported web application hacks. During the first 11 days in 2008 there appears to be only one webapp incident reported, in contrast to the data breaches list. It’s time companies reported pro actively on WebApp hacks, just like how they are mandate by law to report data breaches.

Next Page »