So why mobile devices?
For an attack surface, I think mobile devices are where it will be more then ever in the next 18-24 months. There is a few things that I think point to this;
- Mobile devices are out shipping traditional desktop computers. I don’t think this should be a surprise, while houses may have a PC or even a few. Depending on the age each member of the home may own a mobile device. It would be rash to say the desktop will die, but I think there is many things that a smartphone is far better suited to do then even a ultra thin laptop. Personally I always have a mobile device with me, and I am sure that is true for most people. My smartphone travels more in a year then my laptops ever have.
You can see this with the trending of the number of desktops vs mobile devices.
While this does not look like it is even close to a tipping point, if you go to the source of the graph below you will see that there is multiple countries where the mobile device is on the verge of becoming the majority.
- There is already multiple markets where smart phones have out paced desktops, specifically in developing markets. Infrastructural limitations are easily over come with these devices, you don’t need miles of copper and fiber to provide services to customers. Also unsteady sources of power are not an issue like they are with a desktop or even a laptop.
Check out the source of this graph, it breaks it down by what percent in each country is mobile or desktop.
- Mobile devices are a target rich environment. Information such as email, phone messages, documents. Now with the push of bringing banking applications and payment services to the handheld this is creating a target that is too large and rich not to target.
If and that is a big if. There is 2,000,000,000 desktop PC’s in April 2014 and 13.75% of those are running Windows XP there should be around 275,000,000 PC’s still lingering on XP. Also I think if these are going to be a viable attack target they will have to be running something other then IE8. It will be a significant effort to locate something in a third party browser to only attack 14% of the machines available to you. It would make more sense for an attacker to spend their efforts on the 86% of the rest of the Internet. I am not saying it won’t happen, but I think if you are trying to maximize your work for output this is not the place to spend it.
Now if there was an attack that did target IE8, maybe something someone has been sitting on for several years what does that look like?
If we do what we did before and just trend the line out you end up with 3.1% of machines running XP are still running IE8. So that is 8,525,000. That number to me is nothing significant at in the over all threat environment of the internet. If everything carries on the way it has, Windows XP machines will account for 0.42% of active machines on the internet.
I also personally think that these numbers will turn out to be too generous. I think that they will be almost have of what I currently estimated. With all of the sources of pressure to leave XP, and hopefully other will have aged to a point where they will just cease to function. The security impact of XP throughout 2014 and beyond should be minimal.
I can think of a few things in 2013 and by 2014 that will be leading causes of concern. Like mobile devices, tablets, smartphones. Next I will see if we can figure something out with these.
The next thing we have to look at is what is the current and trending browser shares.
I think this is the most important metric that will decide how much of a concern the number of active XP / IE8 machines there is post April 2014. Currently I cannot find any dates on when Chrome and FireFox will stop supporting XP, but they both list XP SP2 as the oldest version they will support. So I think they will be until at least yearly 2014, I cannot seem them supporting it as an install platform past April that year.
We can try and finish out that graph line for IE8 just to give us a number to work with.
Date IE 8.0
The amount of market share that IE8 loses each month seems to be current around 0.5%. At least that is a conservative number of the past 12 months.
Well now I think we have enough that we can put a number on the machines that will still be running XP and IE8 by April 2014 now. I think it is going to be very conservative, and when we get there I think other factors will make it smaller. But this will work for us.
So how do we figure out what the Windows XP usage will be post April 2014? If you look at the raw data from the chart ( Which you can download if you want to look at it ). Windows XP appears to be losing about 0.75% of market share every month, that is not scientific but it’s still pretty conservative;
If you work off of 0.75 decline every month out to April 2014 you end up with around 14.5% Windows XP market share. Personally I think this will turn out to be less, I think there is still a large amount of corporations that are still running XP and plan on leaving in 2013. So I would expect to see a large decrease by the middle to end of this year.
Also before then users with Windows XP should start to abandon Internet Explorer 8 in greater numbers. At least in theory, this should create a slight increase in Chrome and FireFox users. It should also start getting more users moved that have been waiting to start upgrading as other vendors follow Google as it has already given IE8 walking papers for support inside Google Apps in November 2012. This should further reduce our 14.5% by April 2014.
Well ok, I am sure it won’t be the end of the world. But April, 8th 2014 is the end of extended support for Windows XP. I am not going to get in to the details of this, but the basics is no more patches or help. The idea is to look at any possible security implications of this, for users, corporations and the Internet in general.
I was not able to get an exact number of active desktop PC’s in the world. But a good guess is going to be around the 2,000,000,000 yes that is two billion. I don’t think that is 100% accurate but for doing some maths it will be better then a decimal like 1.86 billion. I have found a few sources (from 2008), that estimate that there will be 2 billion by 2013 or 2014. I don’t think that takes into account the explosion of mobile devices, but we will get to that part later.
I have been able to track down some stats on active OS’s on the Internet and it allows us to change the dates and create some custom charts.
The source is http://gs.statcounter.com/.
There is significantly more Windows 7 machines then I would have thought already. Windows XP usage has been on a decline since the release of Windows Vista. This seems to have accelerated in January of 2009. Currently Windows XP is sitting at about 25%.
Is this going to create a significant security risk for 2014? We can try and look at the past and work with what we have here to try and get an idea.
It’s always nice when someone saves you time. This is one of the best things I have found this year.
This is a search engine that lets you search by geographical location, string, ports, and OS just to name a few of them. What great information if you are looking around for a specific system connected to a person or company. Once you locate that system you can see the ports and services it has detected on it and some basic banners.
It also has another section where you can search for vulnerabilities in a specific application or OS.
I have already spent the last hour just clicking around and exploring, they also have a section where you can locate a specific wireless router by MAC address.
Level 11 is going take a significant amount of more work then the previous levels. The hint does not immediately work out what the answer is.
The main part of the clue that you need is the “he does not understand Apache”. This is making me think htaccess.
Next when you click on the mission it only brings you to a page with a basic message.
Refreshing the page will only list different songs. Trying to get at a htaccess file at this level does not work, so it must be in a sub directory. If you noticed all of the songs are from Elton John. I tried multiple directories but nothing seemed to work, but if you tried the single letter “e” you will follow this tree.
Even the contents of the htaccess file does not directly give the answer.
IndexIgnore DaAnswer.* .htaccess
allow from all
But if you try one more time using what we know now from the htaccess file.
The answer is around! Just look a little harder.
This looks like another clue, but if you try “around” you will literally find out that it is the answer.
There is several ways to solve level ten, this time the hint is on the mission list page and not once you start the mission.
Not to be confused with the basic page once you click on that.
The hint should point you right at what you need to look at. I would start with tamper data and see what is going on when you log in. Also from what I can tell, there was no “correct” password. Although I did not look very hard once I got in.
I found level 9 very confusing for a bit, just like level 8 there is path given to us in the hint.
The same method you used to solve 8 is basically the same for 9, but work on 9 from the 8 site. Make sense?
If you solved 8, this will be easy. I am thinking that they are trying to make the distinction between relative and absolute paths. Or it was a mistake..
I have been mucking around with the hackthissite.org missions every little bit when I get bored just for something to poke at.
I will try to give an explanation of the solution hopefully with out giving it away totally.
What you really need to know is in the description of the mission. (Funny how they mention the path as you would on the system?)
If you tried a regular command injection, you will find pretty quick that it does not work. Something to do a bit a research on is something called Server Side Includes with Apache. See where that leads you.
Also I promise to get back to the Application levels, I have finished the basic missions and wanted to write them up first.