Thanks to Google, there’s a tool you can use to check any site and see if Google lists it as hosting any suspicious files or acting as a malware intermediary. Yes, I know there’s a Firefox extension and that the Google Toolbar for Firefox incorporates the tool, but what if you’re out in the field on a machine that doesn’t have the tool installed and you want to check a site? Simple. Use this URL:
“http://google.com/safebrowsing/diagnostic?site=[URL of site you want to check]” (Leave off the http://).
Try it out for yourself on your favorite sites. You might be surprised at what you find out.
(Thanks to Steve Gibson and Leo Laporte of Security Now! for presenting a reader comment that brought this to my attention.)
What do you think? Leave a comment!
So far, we’ve explored the first 3 basic missions at HackThisSite.org. As we get to each new level, the difficulty increases, but they’re still pretty easy. Today, we solve level four:
An email script has been set up, which sends the password to the administrator. Requirements: HTML knowledge, an email address.
This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot.
So, what we have to do is hack the page to get the password sent to an email address of our own choosing. The script is invoked by clicking the “Send Password to Sam” button. Once again, we can view the source to see what clues are there. Paths to two scripts stand out:
Those are both relative paths. We can’t make them absolute and save the source, but we can save the page to the desktop, edit it, then open the local file. This should give us some action. Make sure to change the email address to one you own.
When the page is opened, we see the challenge screen. Click on the “Send Password to Sam” button and voila! A page appears to reveal the password 50c3072c. The script doesn’t actually email the password, so don’t bother checking the email address you entered.
According to some, level 5 is a bit tougher, but I’m sure we have the talent.
What do you think? How could this hack be thwarted? Leave a comment!
As if we don’t already have enough to deal with, it seems that malvertising–a technique where malicious code is placed in an online ad to either mislead the user or infect their computer—is on the rise. Microsoft recently filed five lawsuits against unnamed individuals accusing them of posting ads containing malicious and deceptive code on its MSN advertising network. And when Microsoft stands up and takes notice against a threat, you know it has some teeth.
The lawsuits Microsoft filed allege that individuals doing business as Soft Solutions, Direct Ad, “qiweroqw.com” (that’s a randomly generated name if there ever was one), ITmeter INC, and “ote2008.info” used malverstisements to either spread malicious code or deceive users into visiting websites that peddle scareware. Microsoft hopes that by filing civil suits in the U.S., the individuals responsible will be discovered and enjoined from continuing to post malvertising.
Recall that last week, as reported in The Register, an ad appeared on the New York Times web site offering a virus scan that then attempted to sell scareware to the user (“NYT scareware scam linked to click fraud botnet”).
As always, I recommend using a secure browser (Firefox with NoScript) and keeping your OS and security software up to date. Oh, yes, and a healthy serving of general caution couldn’t hurt.
Caveat araneo-fluitator! (Let the web-surfer beware!)
What do you think? Leave a comment!
My most recent post, Hacker Skills Help Save a Client’s PC, is a real-life practical example of how honing (or developing) your hacking skills can help you better serve your clients. So if you haven’t gotten around to it yet, mosey on over to HackThisSite.org, create an account and get started on the basic missions. They’re pretty simple, but if you don’t know a thing about hacking, you’ll be challenged.
Did you figure out level 3 of the HackThisSite.org Basic Missions? Here’s the mission:
This time Network Security Sam remembered to upload the password file, but there were deeper problems than that.
Recall that Sam forgot the password file the last time and so the script that checked for the file returned a <null> value—a blank password. This time, he remembered to upload the password file, which, if you look at the source code for the page, is password.php. In the last challenge, we were told that the password file was not encrypted. I wonder if we can open password.php? Let’s copy the URL of the challenge page and append “password.php” to it: http://www.hackthissite.org/missions/basic/3/password.php. Voila! The page opens, revealing 792debbc as the password.
A client recently called about his home PC saying that there were all kinds of pop-ups telling him he was infected. Naturally, the pop-ups promised to remove the “infection” for $49.95, a typical scareware tactic. I figured this would be a simple job, probably WinAntivirus Pro or some variant of it, and I would be in and out in less than an hour. I was wrong; he had deeper problems.
When I booted his PC, I was confronted by multiple command windows all with the title “desote.exe.” I was able to get to a web page and determine that this file is related to Windows Police PRO, a WinAntivirus Pro variant. I was also able to download MalwareBytes’ Antimalware. It wouldn’t install; desote.exe popped in every time I tried to run MBAM installer. I decided to try a manual removal to get the PC to where I could run MBAM and clean things up later, so I deleted desote.exe, dbsinit.exe and a couple other related files. That was a mistake; Windows lost its ability to run .exe files.
I knew I’d probably have to hack it, so I fell back on an old trick: When .exe files won’t run, change the extension to .com. This worked. I was able to install MBAM, run it, and get the system cleaned up. Turns out that the malware changes the registry key HKCR\exefile\shell\open\command from the (Default) entry of [“%1″ %*] to ; since desote.exe was missing, Windows didn’t know what shell to run .exe files with. Besides that, MBAM found rootkit components that would have been difficult to remove manually.
Hacker skills are valuable for us white hats.
Did you figure out level 2 of the HackThisSite.org Basic Missions? Here’s the mission:
Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file and compare it to the password the user enters. However, he neglected to upload the password file…
Read the mission briefing very carefully. A script loads a password from a file. There isn’t a file, so the script won’t load anything, meaning the variable will be…empty (blank). Clicking the Submit button with an empty password field should do it.
That worked. Mission accomplished.
Yesterday, Michael Morisy, ITKnowledgeExchange’s community editor, posted “President Obama’s back-to-school speech tells students to pursue technology. What’s your advice?” It contained a transcript of The President’s speech. Ignoring the controversy and the politics, one has to agree that he made some good points; in fact, I found the whole speech inspiring.
One thing President Obama said relative to the pursuit of technology careers stood out: “Students who sat where you sit 20 years ago founded Google, Twitter and Facebook and changed the way we communicate with each other.” Yes, and before that another generation of students invented the Internet and founded the biggest software company in the world. What he left unsaid is that these technological advances have not been without problems; indeed, they have created entirely new problems that have spawned a separate IT industry: Information Security.
My advice to students who pursue technological careers—particularly IT related—is to realize that the development of new technology also carries with it the responsibility of ensuring that technology is safe to use. The lack of such responsibility in the past, whether through shortsightedness or outright neglect, has given us an Internet that is a haven for a new breed of criminal, that exposes our children to predators, hate propaganda and smut all at the click of a button and often unwittingly. And I haven’t even mentioned the threat to our national security.
President Obama said, “…you become good at things through hard work.” There’s a lot of hard work ahead before we get to the point where anyone can buy a computer, plug it in and use it safely without having to be an information security specialist.
We’ll know we’re there when the PC is as safe to use as a TV.
All of them are critical, but not a single one of them affects Windows 7, scheduled for release on October 22.
The most dangerous flaw covered by this month’s batch of patches is a remote code execution vulnerability in the way that the JScript scripting engine decodes script in Web pages (MS09-045). A remote attacker can exploit this vulnerability by convincing a user to visit a specially crafted Web page and this could result in execution of arbitrary code on the affected system. All versions of Windows—except Windows 7—are vulnerable. Here is the list of bulletins taken from the Microsoft Security Bulletin Summary for September 2009:
MS09-045 Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961)
MS09-049 Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)
MS09-047 Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812)
MS09-048 Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
MS09-046 Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844)
It remains to be seen how Windows 7 will fare once it’s released to retail, but so far, it appears to be more secure the previous versions of Windows. According to Wolfgang Kandek, chief technology officer at software security provider Qualys, "There are a number of additional security measures [in Windows 7] that seem to be working so far in its favor."
We can only hope.
The other day, I proposed you test out your ethical hacking skills over at HackThisSite. If you didn’t see that post, take a look now: How Are Your Hacking Skills? As promised, I’m publishing my comments and approach to the solution.
Level 1, dubbed “The Idiot Test,” requires that you enter the correct password into a password field in order to continue to the next level. The name itself seemed a giveaway to me, so I started with the obvious, a blank password, and simply clicked the submit button. No joy. Next, I tried ten of the most popular weak passwords in use (take your pick as to which “Top Ten” list you prefer):
None of these worked; it appeared as if the test was going beyond the idiot level. If it’s that simple, it should be obvious, so I took another look at the screen and noticed another subtle clue: “If you have no idea what to do, you must learn HTML.” Hmm. Maybe the page source has a clue. I opened the page source and searched for “password.” Bingo! I found this in the code:
<!-- the first few levels are extremely easy: password is 1e79cde6 –>
Did you figure it out? Hit the comments and let me know.
I received some good feedback on my “14 Golden Rules of Computer Security” list, in particular, this comment from Michael: “…you encourage people to go through all the effort of running Virtual Machines to protect themselves from malware, but you don’t actually encourage them to run Anti-Virus software. Which basically, unfortunately, means you’re violating rule #1 and much more likely to run into rule #12.” This lead to a review of past articles I’ve posted on the subject and my finding that though I’ve covered all of the bases, my writing is a bit fragmented. So, you can go back to “Nine Steps to System Security – 2008", “The Lazy Man’s Way to System Security”, and “14 Golden Rules of Computer Security” and put them all together for a complete PC security package, but that’s a lot for the average user to digest.
As of today, I’m embarking on a major pre-release revision of the eBook, 14 Golden Rules of Computer Security to make sure all of the bases are covered in a logical combination and sequence. In essence, the book will begin with the concept of a security baseline—the bare security essentials—for a normal home PC setup and will branch from there.
What’s a good PC security baseline? In “The Lazy Man’s Way to System Security,” I proposed these four bare security essentials: “…a NAT router; a good antivirus program; a good anti-malware program; and, a good software firewall.” That was good enough at the time, but these days antivirus, antimalware and a software firewall are usually combined into a single suite. I choose to align with Windows Secrets’ Security Baseline page: “…a hardware firewall that’s built into your [NAT] router, security software that guards against all types of malware threats, a software-update service to ensure that your applications are patched against the latest exploits, and a secure browser.”
There are many possibilities for implementing those four basic items and that will be well covered in the book.