Security Corner


October 30, 2009  3:11 PM

Hacking Skills Challenge – Level 8

Ken Harthun Ken Harthun Profile: Ken Harthun

So far, we’ve explored the first 7 basic missions at HackThisSite.org. The difficulty of these challenges increases at each level, but this one is not too tough if you look at the clues. Here’s the challenge:

The password is yet again hidden in an unknown file. Sam’s daughter has begun learning PHP, and has a small script to demonstrate her knowledge. Requirements: Knowledge of SSI (dynamic html executed by the server, rather than the browser).

Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/

However, Sam’s young daughter Stephanie has just learned to program in PHP. She’s talented for her age, but she knows nothing about security. She recently learned about saving files, and she wrote an script to demonstrate her ability.

Did you catch that key phrase in the description above? It’s “…executed by the server…” and it’s PHP. That’s what tipped me off. We should be able to execute a simple PHP script from the input box, don’t you think? In PHP you can execute commands with a simple structure. Let’s see what happens if we type in the ls command like this:

[<]!–#exec cmd=”ls”–[>] (brackets to allow proper display only–don’t use them)

That give us some output, but not what we’re looking for, I’m afraid:

Your file has been saved. Please click here view the file.

That output is at ../level8.php. If you click the link to view the file, you’ll see this at ../tmp/[random filename].shtml:

Hi, tshngmww.shtml hipykpqu.shtml ztxdhjxn.shtml…[and a lot more].

That’s not what we’re looking for.

Oh, wait. We just did a listing of the current directory, /var/www/hackthissite.org/html/missions/basic/8/tmp/; We want to go up one level to /var/www/hackthissite.org/html/missions/basic/8/. Let’s try that command again so we list the parent directory:

[<]!–#exec cmd=”ls ..”–[>] (again, don’t use the brackets)

Voila! Now we get this as the output when we click the link to view:

Hi, au12ha39vc.php index.php level8.php tmp!

The file au12ha39vc.php looks like the one. Plug it into the browser and you get the password: 40087506.

Mission accomplished!

October 30, 2009  2:02 PM

Updating the Anti Virus Bootable Thumb Drive

Ken Harthun Ken Harthun Profile: Ken Harthun

My recent post, Convert Any Live CD to a Bootable Thumb Drive in Minutes, referred to the Kaspersky rescue CD as one possible way to make an anti virus bootable USB thumb drive. A lot of people over at my Ask the Geek site have done that and had success with it. However, I have been getting a lot of questions about the updating function, most of them along the line of how to force a static IP address. This should clear it all up.

The Question: Hey Geek, As with the other commenters, thank you so much for this guide and utility. It could potentially be a life saver.

I do however have a few questions:

1) I am guessing the networking side of things works via dhcp, i have looked through the files, but am no linux expert so wondered if there is a way of setting a static ip?

2) Where are the virus deffinition updates saved to? I ran the update on my laptop (dhcp) then plugged the usb drive to a machine with no dhcp and it said the deffinitions were out of date, I would have hope it updated them on the usb key?

My answer: 1. Yes, it works via DHCP. Normally, you would be able to set a static ip address by using the procedure below. You’ll want to get into the linux command console. I believe the rescue disk UI has a link for that. You can then assign a static ip address:

ifconfig eth0 <ip address> up netmask 255.255.255.0
route add default gw <gateway router address>
ifconfig eth0 down
ifconfig eth0 up
route add default gw <gateway router address>

You can verify the ip address by typing ifconfig with no parameters. It
should show the address you set for eth0.

2. The updates are saved to memory, so they go bye-bye when you reboot.
It’s better to update every time you use it anyway, so you always have
the current definitions. I’ll investigate the ../etc/conf file and see
if I can resolve this.

Hope this helps anyone here who has had similar questions.


October 29, 2009  1:16 AM

18 Nigerian Spammers Headed for the Slammer

Ken Harthun Ken Harthun Profile: Ken Harthun

Nigeria’s Economic and Financial Crimes Commission (EFCC) says that their “Operation Eagle Claw” has so far seen members of 18 syndicates arrested and 800 scam websites shut down. The chairman of the anti-scam force, Mrs. Farida Waziri said:

We expect that Eagle Claw as conceived will be 100% operational within six months and at full capacity, it will take Nigeria out of the top 10 list of countries with the highest incidence of fraudulent e-mails.

At the moment, Eagle Claw has delivered the following results:

Over 800 fraudulent e-mail addresses have been identified and shut down. The EFCC is fine tuning security modalities with Microsoft and upon full deployment, the capacity to take down fraudulent e-mails will increase to 5,000 monthly. Further it is projected that advisory mails to be sent to victims and potential victims will be about 230,000 monthly.

There have been 18 arrests of high profile syndicates operating cyber crime organizations.

When it [Eagle Claw] is fully deployed, it will afford the EFCC the option of either monitoring or shutting down all fraudulent email addresses. The EFCC would also have identified victims and potential victims and advised them that their email has been compromised.

Does this mean we won’t be getting anymore of those touchy-feely emails from Mrs. Farzad Arubi (or whatever bogus names they use these days) who really needs our help to move a million dollars from her late (murdered) husband’s estate?

Not likely, but it’s good see some of the perpetrators taking it on the chin.


October 28, 2009  12:15 AM

Hacking Skills Challenge – Level 7

Ken Harthun Ken Harthun Profile: Ken Harthun

Once again it’s a slow security news week, so time to tackle the next hacking skills challenge level. So far, we’ve explored the first 6 basic missions at HackThisSite.org. The difficulty level is supposed to increase at each level, but this one is only difficult if you don’t know Linux. Here’s the challenge:

The password is hidden in an unknown file, and Sam has set up a script to display a calendar. Requirements: Basic UNIX command knowledge.

This time Network Security Sam has saved the unencrypted level7 password in an obscurely named file saved in this very directory.

In other unrelated news, Sam has set up a script that returns the output from the UNIX cal command.

This one is so easy you don’t even have to look at the source code. But you do have to know about chaining commands in Unix.

If you enter a year, you’ll get a full 12-month calendar with all weeks beginning on Sunday displayed on the resulting output page. This is default behavior of the cal command. It looks like all the script does is execute the command, taking your input as a parameter.  We can prove this by leaving the field blank; the script returns the current month and year, i.e., default behavior.

The key to cracking this one is the phrase “…obscurely named file saved in this very directory.” We know the permissions are good to run commands on that directory, so let’s just chain the ls — list directory contents — command and see what happens. (You chain commands in Linux using && between them.) Enter the following in the text box: && ls and click the View button. Here’s the output:

       October 2009
Mon Tue Wed Thu Fri Sat Sun
              1   2   3   4
  5   6   7   8   9  10  11
 12  13  14  15  16  17  18
 19  20  21  22  23  24  25
 26  27  28  29  30  31

.
..
level7.php
cal.pl

index.php
k1kh31b1n55h.php
perl5.8.9.core

Looks to me like k1kh31b1n55h.php is our file. Stick it in the URL and open it up. Voila! The password, f866d6b9, is revealed.

Mission accomplished!


October 21, 2009  7:08 PM

Panda Security Finds Automotive Industry Hit Hardest by Spam

Ken Harthun Ken Harthun Profile: Ken Harthun

Interesting study. It seems that spam content received is constant across all industries and the majority of it is pharmaceutical related. This could mean one of two things: either very few spammers are responsible (likely); or, a lot of men fall for the v-i-AGR*A spam. Anyway, check it out:

Panda Security has just completed a 3-month long study of spam across 11 different industries, exposing that automotive industry is most heavily targeted. The study found that 99.89 percent of all e-mail received by the automotive industry is spam, with just .11 percent being legitimate messages. The automotive industry was closely followed by the electronics industry and governmental sector as the top spam targets.

When analyzing the survey, Panda found it particularly interesting that while industries are targeted in different ratios, the content of the spam they receive (the majority of which is pharmaceutical related) is constant across all industries.

View the full press release online here: http://www.pandasecurity.com/usa/homeusers/media/press-releases/viewnews?noticia=9906

Panda has posted a breakdown of how each industry is affected to its Flickr page:  http://www.flickr.com/photos/panda_security/4026424134/



October 20, 2009  12:12 AM

Acrobat Reader Users Should Switch to Foxit Reader, Shrink Their Attack Surface

Ken Harthun Ken Harthun Profile: Ken Harthun

I’m not going to rant, I promise–I don’t have to because this doesn’t affect me. Several years ago, I abandoned the bloated, insecure and extremely resource-intensive Acrobat Reader in favor of the smaller and more secure Foxit Reader. Once again, here is more evidence that I’m right to have switched.  Brian Krebs of The Washington Post wrote:

Adobe Plugs 29 Critical Reader, Acrobat Holes

Adobe Systems Inc. on Tuesday issued a new version of both Adobe Acrobat and its free Adobe PDF Reader to fix at least 29 separate security vulnerabilities in these products.

If you have either (or both) of these programs installed, take a moment to update them. Adobe warns that hackers already are exploiting at least one of the flaws to break into vulnerable systems.

No! Don’t update. Shrink your attack surface and switch to Foxit Reader and their other PDF software. Not only are Foxit Software’s products more secure, they’re also cheaper.


October 19, 2009  11:54 PM

Mozilla Disables Insecure Microsoft Firefox Add-on

Ken Harthun Ken Harthun Profile: Ken Harthun

When I fired up my laptop the other day, I was greeted with this pop-up box:

If you’re running Firefox, you may have already seen it yourself. Recall that these add-ons were installed into Firefox without the user’s permission, causing quite an uproar in the Mozilla user community. Brian Krebs of The Washington Post wrote:

In May, I wrote about a Windows patch for the Microsoft .NET package that silently installed the Microsoft .NET Framework Assistant add-on into Firefox. The package also included an associated plug-in for Firefox called the Windows Presentation Foundation plug-in. The Mozilla user community was up arms over not just the fact that Microsoft was introducing unwanted components that could potentially weaken the security of Firefox, but that Redmond had made the thing almost impossible to remove.

Mike Shaver, Mozilla’s vice president of engineering, wrote Friday on the Mozilla Security Blog:

Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately.

At least Microsoft agreed with Mozilla’s action to block the insecure add-on, but shame on them for blatantly compromising the security of a browser they don’t even own.

Conspiracy theorists: Do you have an opinion on this?


October 19, 2009  11:34 PM

Trust Only https:// on Form Pages

Ken Harthun Ken Harthun Profile: Ken Harthun

How often, when you log into a site that requires a username and password, to you check to see if the connection is secure? You probably don’t give it a second thought. Most people don’t. For many sites, like newspapers, online magazines, etc., it probably doesn’t matter much. Who cares if someone logs into a news site with your credentials? They’re not going to gain anything by doing so and there’s no identity or personal financial information at stake.

For any sites where you are accessing or entering sensitive identity or financial information such as bank account or credit card numbers or government program IDs such as Social Security numbers, State identification numbers or the like, you are seriously at risk of identity theft if you trust this information to a form that is served as “http://[URL].” It’s true that the Submit button may invoke transmission of the information using https:// (SSL), but there is no guarantee that this will happen, so you risk sending your information “in the clear.”

Best practice: change all of your bookmarks pointing to financial and other sensitive site login pages to read “https:// [URL of site].”


October 17, 2009  12:23 AM

Free Encryption Tool for the Absentminded

Ken Harthun Ken Harthun Profile: Ken Harthun

Security software firm SOPHOS (I’ve tested their products in the past) sent me an email yesterday offering a free encryption tool. I tested it this evening and I’m impressed. It’s very simple to use and is definitely a cure for the absentminded:

Whether you lose your laptop, misplace a CD or leave your USB drive in the coffee shop, if it’s encrypted you don’t have to worry about
becoming tomorrow’s headline!

Get the FREE Sophos encryption tool now and you can lose your data without losing your mind.

Sophos FREE Encryption:
an easy to use tool that encrypts your files, folders and emails.

I suggest you download this immediately and pass it on to everyone you know. Combine this with the LAlarm software and you have an unbeatable combination.

Here’s the download link: http://www.sophos.com/mk/get?_EC=2LMC0U-c476w3xDfL8K5RQ

Let me know what you think.


October 15, 2009  3:18 AM

Convert a USB Thumb Drive into a ROBAM

Ken Harthun Ken Harthun Profile: Ken Harthun

What’s a ROBAM? you ask. Check out this post: Protecting Your Business from Online Banking Fraud. SANS says, “The number one recommended mitigation [to online banking fraud caused by infostealer infections] is to use a read-only bootable alternative media (ROBAM) as an isolated environment for financial transactions.”

You can use a USB thumb drive instead of a CD if you do the following:

1. Download your alternative Linux OS choice (I prefer Ubuntu or Knoppix) in .iso format
2. Download UNetbootin from http://unetbootin.sourceforge.net/
3. Create a bootable USB thumb drive using UNetbootin
4. Set the properties of the drive to “read only”

This should have the same effect as using a Linux live CD.

I haven’t tried this, so comments welcome.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: