Well, slow security news week, so let’s tackle the next hacking skills challenge level. So far, we’ve explored the first 5 basic missions at HackThisSite.org. At each new level, the difficulty increases. At level 6, we’re dealing with a bit of cryptography. Don’t worry, you don’t have to be a PhD to figure it out; it’s a pretty simple algorithm. The encryption table is publicly available. Here’s the challenge:
An encryption system has been set up, which uses an unknown algorithm to change the text given. Requirements: Persistence, some general cryptography knowledge.
You have recovered his encrypted password. It is: bc8g76g<
Your recovered password will be different, but the algorithm to solve it will be the same.
There’s a form where you can enter a text string and have it encrypted by the algorithm used, so that’s a good place to start to solve the cipher. My first attempt was to enter the encrypted password and see what I got back out of the algorithm. The output was bd:j;;mC. Clearly, this is shifting algorithm of some sort, with the first position, position 0, remaining unchanged. I went ahead and tried the ROT(n) algorithms, even though they don’t usually deal with numbers. No joy there. But a good look at the output might indicate a successive addition pattern: the first postion is 0, so the letter remains the same; the second position, 1, increments to the next letter. Reversing the pattern would yield 0, -1, -2, etc.
The presence of symbols suggests the ASCII symbol set and this is what works out to be the solution. Get an ASCII table. For each character position, count backwards from the letter in the password the number of places corresponding to the position number. So, for b, count back 0, for c, count back 1, for 8, count back 2, etc. This will give you bb6d31a5 which is the original password.
Microsoft’s Security Essentials (MSE), released last week amidst criticism from antivirus giant Symantec, is proving to be effective, robust protection against current malware threats. Performance analysis by av-test.org shows that MSE is on par with many other standalone antivirus products.
Using Windows XP as a testbed, AV-Test pitted MSE against 545,000 current computer worms, viruses, backdoors, bots and Trojan horses; MSE detected more than 98 percent. It detected just over 90 percent of adware and spyware samples and excelled at detecting and removing rootkits.
My experience with MSE so far mirrors the company’s claims that the program “…runs quietly and efficiently in the background so that you are free to use your Windows-based PC the way you want—without interruptions or long computer wait times.”
Any way you look at it, MSE is a game changer. While it’s currently only available as a downloadable add-on to Windows, I doubt it will be long before it comes bundled with the OS on new PCs. When that happens, the AV giants are going to find themselves hard pressed to come up with legitimate reasons for someone to purchase their products.
Search for “computer security maxims” on any of the top three search engines (Google, Yahoo, Bing) and my articles mostly dominate the results. So I was quite surprised that Security Now Episode #215, entitled “Security Maxims,” gave no mention whatsoever of my contributions to this subject over the past three years. Guess I’ll have to take that up with Steve and Leo. To be fair about it, though, the maxims that Steve talked about in the episode, composed by Roger G. Johnston, Ph.D., CPP of Argonne National Laboratory, Nuclear Engineering Division, are related to “…physical security and nuclear safeguards.” However, according to Johnston, “They probably also have considerable applicability to cyber security.” Many of them are also amusing.
Take this one for instance:
So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.
Or this one:
Schneier’s Maxim #1 (Don’t Wet Your Pants Maxim): The more excited people are about a given security technology, the less they understand (1) that technology and (2) their own security problems.
Comment: From security guru Bruce Schneier.
How about this?
Byrne’s Law: In any electrical circuit, appliances and wiring will burn out to protect the fuses.
In all, there are more than 60 maxims listed. You can download a PDF of “Security Maxims” if you want to see more. I highly recommend you read them. You may learn something new. Like I did.
Now, I’m out of here. Have to go fire off an email to Steve and Leo…
Comments? Let me know what you think.
Microsoft Security Essentials is now out of beta and ready for download.
The Microsoft Security Essentials team has this to say:
Microsoft Security Essentials (formerly codenamed “Morro”) is the newest security product from Microsoft that helps protect consumers against viruses, spyware and other malicious software. The program, using the same technology as the Forefront product family, is designed to protect and take the guess work out of you wondering if you are protected or not.
If you’re green, you’re good.
Red or yellow means there is something that needs to be done to keep your PC secure. A single click and the PC is back to the green protected state.
Microsoft Security Essentials is also designed to address cost and other barriers that have prevented many of our customers from running up-to-date security protection on their PCs. Because there are no subscription fees, there is no registration required to collect billing or other personal information.
It also runs quietly in the background scheduling scans when the PC is most likely idle and interrupting the user only when there is an action required to keep their PC secure. It employs practices like active memory swapping and CPU throttling to limit the impact on your PC performance, even on older or less powerful PCs.
Sounds good to me. I’m going to recommend it to some of my less-than-savvy clients and see how it works for them. I’ll even try it myself, though I’m not a good candidate for such a thing, being the security Geek that I am. Still, it can’t hurt. The one thing that’s unclear: Is this going to come standard with every new PC, or does everyone have to make the effort to download and install it?
You usually see this around tax season, but it seems the cyber-crooks have figured out that fear of the IRS is an evergreen topic.
US-CERT is aware of public reports of malicious code circulating via spam email messages related to the IRS. The attacks arrive via an unsolicited email message and may contain a subject line of “Notice of Underreported Income.” These messages may contain a link or attachment. If users click on this link or open the attachment, they may be infected with malicious code, including the Zeus Trojan.
The Zeus Trojan is a keylogger that steals sensitive data, especially targeting online banking credentials. According to “New IRS Scam E-mail Could Be Costly”, in Brian Krebs’ Security Fix column, Landfill Service Corp. (LSC), a solid waste company based in Apalachin, NY is a recent victim of the Trojan. The firm may end up losing at least $92,000 from the incident. Not good.
The Zeus keystroke logging Trojan’s engine is a file called “sdra64.exe.” At least that’s what LSC’s tech guy found (Variations are sure to surface).
Rather than repeat it in my own words, here’s the US-CERT list of recommendations:
- Review the How to Report and Identify Phishing, E-mail Scams and Bogus IRS Web Sites document on the IRS website.
- Do not follow unsolicited web links or attachments in email messages.
- Maintain up-to-date antivirus software.
- Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
- Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
One solution is to encrypt the web page code. A web search will reveal plenty of tools to accomplish this; one that I’ve tried is iWebTool.com HTML Encrypt. It’s easy to use, just paste your raw code into the text entry box, click the “Encrypt” button and see your encrypted code in the lower panel.
It’s not a substitute for secure coding, but it can serve as an effective deterrent.
Comments? Go ahead and hit the button.
So far, we’ve explored the first 4 basic missions at HackThisSite.org. As we get to each new level, the difficulty increases, but they’re still pretty easy.
Today, we solve level 5:
Sam has gotten wise to all the people who wrote their own forms to get the password. Rather than actually learn the password, he decided to make his email program a little more secure.
If you try the same tactic we used to solve level 4, you’ll get the error message, “Invalid referrer. The requested URL /missions/basic/5/level5.php will not be loaded.” You get this because the script checks the HTTP headers to see where you are viewing the page from. If the url is not /missions/basic/5/ or /missions/basic/5/index.php then it will give an error. Since you’re viewing it from a local file, the script fails.
There are two approaches we can take here: 1. Change the email address in the script using some form of code injection; 2. Use an online monitor/debugger that allows us to edit a page on the fly.
Either way, mission accomplished!
Thanks to Google, there’s a tool you can use to check any site and see if Google lists it as hosting any suspicious files or acting as a malware intermediary. Yes, I know there’s a Firefox extension and that the Google Toolbar for Firefox incorporates the tool, but what if you’re out in the field on a machine that doesn’t have the tool installed and you want to check a site? Simple. Use this URL:
“http://google.com/safebrowsing/diagnostic?site=[URL of site you want to check]” (Leave off the http://).
Try it out for yourself on your favorite sites. You might be surprised at what you find out.
(Thanks to Steve Gibson and Leo Laporte of Security Now! for presenting a reader comment that brought this to my attention.)
What do you think? Leave a comment!
So far, we’ve explored the first 3 basic missions at HackThisSite.org. As we get to each new level, the difficulty increases, but they’re still pretty easy. Today, we solve level four:
An email script has been set up, which sends the password to the administrator. Requirements: HTML knowledge, an email address.
This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot.
So, what we have to do is hack the page to get the password sent to an email address of our own choosing. The script is invoked by clicking the “Send Password to Sam” button. Once again, we can view the source to see what clues are there. Paths to two scripts stand out:
Those are both relative paths. We can’t make them absolute and save the source, but we can save the page to the desktop, edit it, then open the local file. This should give us some action. Make sure to change the email address to one you own.
When the page is opened, we see the challenge screen. Click on the “Send Password to Sam” button and voila! A page appears to reveal the password 50c3072c. The script doesn’t actually email the password, so don’t bother checking the email address you entered.
According to some, level 5 is a bit tougher, but I’m sure we have the talent.
What do you think? How could this hack be thwarted? Leave a comment!
As if we don’t already have enough to deal with, it seems that malvertising–a technique where malicious code is placed in an online ad to either mislead the user or infect their computer—is on the rise. Microsoft recently filed five lawsuits against unnamed individuals accusing them of posting ads containing malicious and deceptive code on its MSN advertising network. And when Microsoft stands up and takes notice against a threat, you know it has some teeth.
The lawsuits Microsoft filed allege that individuals doing business as Soft Solutions, Direct Ad, “qiweroqw.com” (that’s a randomly generated name if there ever was one), ITmeter INC, and “ote2008.info” used malverstisements to either spread malicious code or deceive users into visiting websites that peddle scareware. Microsoft hopes that by filing civil suits in the U.S., the individuals responsible will be discovered and enjoined from continuing to post malvertising.
Recall that last week, as reported in The Register, an ad appeared on the New York Times web site offering a virus scan that then attempted to sell scareware to the user (“NYT scareware scam linked to click fraud botnet”).
As always, I recommend using a secure browser (Firefox with NoScript) and keeping your OS and security software up to date. Oh, yes, and a healthy serving of general caution couldn’t hurt.
Caveat araneo-fluitator! (Let the web-surfer beware!)
What do you think? Leave a comment!