HP Racist Webcam - Facial Recognition Far From Perfect

On the 10th of December a tongue-in-cheek demo of a failure of a HP webcam was published on YouTube. The video shows the failure of a software which is designed to recognize the speakers face and react so it is always centered on the face.

The failure is that the software does not recognize a black persons face, while it clearly identifies the white persons face.

In the meantime several other videos appeared that further analyze this situation. It appears that a person with very dark skin is not recognized unless there are perfect lighting conditions, since the camera cannot distinguish between the facial features.

This only adds oil to the fire on the issue of the facial recognition in biometrics IDs. It is now proven that facial recognition can fail miserably on a nice chunk of the world population.




Does this mean that black people should not use biometric ID's. What do you think?

Related posts
A Simplified Analysis - Can you Forge a Biometric ID?

Hacking Rapidshare Premium Access at Your Own Risk

A lot of people on the internet have become frustrated by the rapidshare free limitations, and wished that they have a premium account. Well, you actually can have such an account, but it may come at an unexpected cost. Just use a rapidshare premium link generator service.

One of those 'services' is Rapid Premium. To log in just use the public/public credential and go to the download section. In the text box paste the URL of the public access rapidshare link to the file you wish to download. Rapid Premium will use the stolen credentials and create an URL for you that will use a 'borrowed' Rapidshare Premium account.



As a simple test, I logged on to the service from an isolated virtual machine, and downloaded a small text file. The test was performed with a our own file to limit possible malicious code from rapidshare. The file got downloaded faster, and the MD5 hash wasn't changed - so no intrusion from Rapid Premium on thisone.

  • Is it useful? Probably yes.There are a lot of situations when you need a fast download, or the free download slots on rapidshare are full just when you need something.
  • Is it legal? Most probably not. Just as a lot of these services do, this one relies on stolen rapidshare credentials. But it's a bit safer then just obtaining such a credential from black hat forums or IRC channels, since you can always claim plausible deniability.
  • Is it safe? Most Most probably not. Always remember that there is no such thing as free lunch. Services like Rapid Premium are excellent locations for all kinds of hacking attempts at the visitors - browser vulnerabilities, XSS, CSRF or anything else. So before we thinking about 'hacking' rapidshare, just consider is it really that important it really is to get the data a bit earlier

Talkback and comments are most welcome

Related Posts
Ratproxy - Google Web Security Assessment Tool
How To - Malicious Web SIte Analysis Environment

DECAF - Counter Forensics Tool That Must Grow

After the leak of Microsoft COFFEE into the 'wild' a tool emerges that will supposedly make life very difficult for a forensic investigator using COFFEE.

The tool is titled DECAF and is freely available, although not open source.

The tool does not to be installed, and when configured in 'LockDown Mode' offers a set of Counter-Forensics functions upon detecting a COFFEE process running on the computer. The following options Counter-Forensics functions are available:

  • Contaminate MAC Addresses - Modify MAC addresses of network adapters to possibly throw investigators off course in the investigation
  • Kill Processes - Eliminates
  • Shutdown Computer - Self evident if possible evidence are in memory
  • Disable network adapters - most forensic tools send their evidence onto a trusted network share - this will stop all external communication
  • Disable USB ports - the basic blockade step to prevent COFFEE from working properly
  • Disable Floppy drive - should you use floppy for evidence collection or COFFEE execution
  • Disable CD-ROM - Same as USB and Floppy
  • Disable Serial/Printer Ports - Got lost here, unless you have some specific tools or choose to print evidence this is not very useful
  • Erase Data - Basic Windows delete of folders which you know may incriminate you. Won't do much good though since it can be
  • Clear Event Viewer - Remove logs from the Event Log
  • Remove Torrent Clients - nobody wants these found, especially on their company computer
  • Clear Cache - Remove cookies, cache, and history from everywhere
Since most user's don't have COFFEE copies to test DECAF, it includes a simulator that triggers the reaction as if COFFEE process is active.

According to information from the site, future versions will have text message and email triggers so in case the computer needs to enter into lock down mode the user can do it remotely. Also there is a suggested possibility to run as a windows service.

But DECAF is far from being a magic bullet: In it's present form it has a lot of realistic issues that will prevent it from being successful. Here is my top list of issues
  1. Related to one product and it's current mechanism of operation - DECAF is designed to react to COFFEE, and is built to react to the leaked version of the COFFEE code. In the long run, Microsoft can modify the way COFFEE processes operate which may render DECAF useless. DECAF needs to expand into an automated 'evidence eraser' independent of COFFEE.
  2. Needs to be run under administrator context to be most efficient - You can't erase Event Log not change MAC address unless you are the local administrator. So usual corporate employees need to understand that their protection is limited to what their account is permitted to do.
  3. It doesn't 'live' as a service - you need to run the process for it to be active. And any forensic investigator can see the tray icon and the process in task manager. While DECAF developers announce that it will run as service, as it is now it is as visible as a zit in the middle of a teenagers nose.
  4. Fails on certain platforms - running it on Windows XP (virtual environment test) produced an error and failed the application. While this may not be the case with all WinXP, there is a probability that DECAF will fail on some computers.

Talkback and comments are most welcome

Related posts
New Helix3 Forensic CD - Welcome
Digital Forensics Framework - A Perspective Forensics Tool
Tutorial - Computer Forensics Process for Begginners
Tutorial - Computer Forensics Evidence Collection
Scalpel - File Carving from Partially Wiped Evidence Disk

DefendTheApp - An OWASP AppSensor Project

DefendTheApp.com is now live. This site provides a fully functioning demonstration application that has implemented an AppSensor detection and response capability. The site also provides easy links to all relevant AppSensor information.


Not familiar with AppSensor? The basic idea is this; currently applications use a variety of secure development techniques to prevent an attacker from being able to break into the application. Secure development is great, however, we can't just stop there.

Consider the defensive strategies used by physical banks, prisons, federal buildings, etc. We do use security controls to prevent attacks (locked doors, ID card to enter) , however, we also use a variety of methods to monitor and detect attackers before they have succeeded in their devious intents (cameras, guards, motion sensors, alarms). And in the real world, we put most of our faith in the ability to detect and catch a criminal, not in the ability to design a system that can withstand a relentless and unrestricted series of attacks.

This is the idea of AppSensor. Implement detection points within the application to discover a malicious user that is probing for vulnerabilities. Once the user is detected and a threshold of malicious activity is reached, report the user as an attacker and lock that user out of the application. If you can detect attackers and lock them out before the attacker finds a vulnerability, then you've significantly enhanced the security of your application.

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.

The original text is published on ...Application Security...


Talkback and comments are most welcome

Related posts
OWASP Publishes Top 10 Web App Security Risks for 2010
Creating Your Own Web Server
Web Site that is not Easy to hack - Part 2 HOWTO
HTTPS Data Exposure - GET vs POST

A Simplified Analysis - Can you Forge a Biometric ID?

Security of biometric ID's like biometric passports is a very frequent topic of discussion and we all know there are issues. But most of those issues are related to encryption, materials and generally anything that requires a lot of technical knowledge.
Here is an example of the possibility to create a fake Biometric ID with very little technical knowledge. In order to understand this possibility, we need to discuss the 2 biometric elements within the ID:

1. Facial information
Each biometric ID contains a very clear and accurate photo of the owner of the ID. And facial recognition is used in a lot of systems, most frequently in organizations which require non-intrusive identification - like casinos and some border controls. So facial recognition systems are quite common and commercially available.


But facial recognition has an inherent weakness - it cannot be calibrated to 100% accuracy. This is simply because some features of your face can actually change at a daily basis: facial bloating, skin discoloration, acne, minor injuries. So the facial recognition system needs to be flexible - most facial recognition systems are set-up to match at around 70-80%

2. Fingerprints
Fingerprints are also stored in the biometric ID, with most ID's storing only one or two fingerprint - the index finger of the right hand or the fingerprints of both index fingers. It is common knowledge that fingerprint readers can be easily fooled, with very simple and available methods. One simply lifts the fingerprints and creates a copy using photoshop, laser printer and gelatin or wood glue. Here is an example of a simple fingerprint lifting method - the first step in recreating a fingerprint.
So far, these two elements may be fooled, but how can we create a fake biometric ID with such information?

Technically, it is very very difficult to modify a manufactured biometric ID into a fake one, which was the initial idea.
But what if you can alter the input data into the process of creating a new legal biometric ID? The process is quite simple:

  1. The seller of fake ID must create the fake ID for a person that has similar facial features to him/her, so the facial recognition software matches the expected 70-80% similarity. To match a seller and a buyer with sufficient similarity, you can use a public web site http://celebrity.myheritage.com/FP/Company/try-face-recognition.php
  2. The seller will prepare fake fingerprint covers of the buyer and attach them to his/hers fingers.
  3. The seller simply enters the appropriate authority and applies for the biometric ID. He/she gets photographed and the fingerprints get scanned on a scanner that is in front of a bulletproof glass (to isolate from the flu). These authorities are staffed by overworked people and there is usually a lot of commotion, so very few people will ever notice your fake fingerprint covers. Oh, and the application software rarely compares the previous fingerprints with the currently scanned ones
  4. If all goes well, the seller will receive an original ID which contains a face of the seller as well as his/her personal information, but the fingerprints are of another person - the buyer. The buyer can now take that ID and actually pass most control checks.
  5. For all legal purposes such an ID is very much a fake, and there is no way to prove that the seller faked his/her information - even if the fake fingerprints are found on file, how will you prove that the seller faked his fingerprints?
Easy, isn't it?
What's your opinion? Can this method actually work?

Related posts

Privacy Ignorance - Was Eric Schmidt thinking?

Eric Schmidt said in a CNBC special recently that “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place!”

And yet the reaction to this flagrant ignorance of basic privacy is met with mixed reactions. Some are criticizing, others are agreeing. Garett Rogers at ZDnet is even brown-nosing at Google's CEO for some reason with a statement I couldn't agree with him more!


It would have been easy to just start ranting about the generic ignorance of Eric Schmidt for anything private. But i wanted to see what will the google engine do with something that I don't want anyone to know, and yet i could't prevent it from happening - ILLNESS

I created a series of e-mails which i exchanged between two gmail accounts. It took 3 e-mails for gmail to suddenly start offering me anti-allergy bracelets, and refer me to doctors in their adsense. Now, google engines know that I have an allergy. Here are the transcripts - word for word of those e-mails

I appologize for not being on time, but i had to visit a doctor
Apparently, i have developed some form of allergy. I will need to be treated with anti-allergy drugs for some time.

They are still investigating which medicine is the best

See you around
---------------------------------------------------------------
Bozidar
I am very sorry about your situation. I have had some rash issues myself some time ago, and I got prescribed Singulair and Alavert. Maybe you should mention those to your doctor as possibilities

Be safe
---------------------------------------------------------------
Alavert is for allergies. So i'll be mentioning it to my doctor

Thanks

All it takes is 3 very short texts for google engines know that you are ill. And those may be e-mails you exchanged with your physician. It is quite obvious that the automated engines use this information - i got relevant commercials.

So I would ask Mr Schmidt:
  • Nobody chooses to be ill, and information about health is exchanged via e-mail, so now Google knows it. So, please answer - what Google won't do with this information?
And I will ask Mr Brin and Mr Page:
  • Do you support that the CEO of your company stated that it's our fault that Google knows something that is very private and confidential?

Talkback and comments are most welcome

Related posts
No Privacy - Saw You Cheating on Image Search
Google Voice - No Privacy Remains?

Vulnerability Management from the Cloud - Overview of the services

Vulnerability and Compliance Management as Software as a Service (SaaS) are springing up like mushrooms. The SaaS model enabled companies which focused on vulnerability management to extend their reach, and offer the services to more and more potential clients.
Most companies in this market name their SaaS service the "on-demand solutions for security risk and compliance management".


The players
Here is the list of potential vendors that you should look at, in no particular order:

Bear in mind that this list does not include all relevant vendors, so you may want to extend your search. But it's a representative sample that will help you to review what is the offering of the competition.

The offering
The services are usually delivered as a dedicated Black Box appliances that are placed within your infrastructure. They perform the scanning or IPS/IDS, but the results are then sent to the 'cloud' where reports are generated. Most companies are offering the usual set of services:
  • Vulnerability Scanning - the basic offer of vulnerability scanning, with more or less success but definitely comparable to your local vulnerability scanner.
  • PCI DSS Scanning - Payment Card Industry Data Security Standard (PCI DSS) was the important 'differentiators' of the SaaS vulnerability scanning. PCI DSS requires for a scan that is certified by the PCI group and performed by a certified company. So the SaaS Vulnerability Management companies got certified and created the PCI DSS scans. But for all everyday intents and purposes, your local vulnerability scanners have the same PCI DSS scans - all you need is to commission the scan 4 times a year for the PCI DSS audit
  • Managed Intrusion Detection/Prevention - much like the vulnerability scanning, this is more or less what your local IPS/IDS does, only the results go out and get analyzed and compared in the cloud.
  • Reporting and Fix Tracking - this element may be one of the differentiators, but local vulnerability scanners are catching up. In a SaaS solution, all results are kept as reports, and you can easily create comparative baseline reports, or even assign tasks to persons for fixing some vulnerabilities. The system will automatically send reminder e-mails to those persons and re-scan after the configured deadline for fixing.

Vulnerability Management - Local or Managed?
In conclusion, both the local and the managed solutions are living quite well at the moment. And function wise they are comparable. So which one to go for?
  • The local solution can easily be reconfigured and directed at different targets. It us very flexible and because it is usually installed on a laptop, very portable. It is an excellent choice for anyone that needs to perform scans from different positions in the corporate network. This would include IT security teams, penetration testers, external auditors and consultants .
  • The managed (SaaS) solution is stationary, fixed and quite cumbersome to move around. It usually lives in the data center as a black box probe, or in the manager service provider as an external scan. It can be configured with the required targets, scheduled to run at regular intervals and perform regular controls. It is a good choice for internal auditors, security officers and compliance officers - no need for maintenance, it is all handled by the managed service provider.
  • Calculate the optimal price/performance - the SaaS versions are usually as yearly subscription charged per number of IP addresses to scan. This price may be quite significant, and you are fixed to the block of IP addresses. On the other hand, the local scanners require a hardware to run on, and you still pay a subscription for the updates of vulnerabilities. So you need to calculate your optimal cost based on your requirements and expectations.


Talkback and comments are most welcome

Related posts
Nessus vs Retina - Vulnerability Scanning Tools Evaluation
NeXpose Community Edition - Our First Look
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis

Summary of IP Spoofing

If you are using any sort of IP based filtering within your application, then you need to evaluate how IP spoofing attacks affect your security controls. In order to make a fair evaluation you will need a basic understanding of IP spoofing attacks.



Let's look at two different scenarios.

Scenario #1 Attacker wants to spoof an arbitrary IP address and the attacker is not on the same subnet (broadcast domain) as the targeted IP address. Example: attacker is 1.2.3.4 and wishing to spoof 4.5.6.7

Scenario #2 Attacker wants to spoof an IP address of someone on his own subnet (broadcast domain). Example: attacker is 192.168.1.55 and wishing to spoof 192.168.1.58 (assuming subnet of 255.255.255.0)


Scenario #1

The attacker can create forged TCP packets and modifies the source IP address to be any value. One tool that can do this is HPING2.

What can you do:

  • Send an initial TCP packet with any source IP address
  • Send a series of UDP packets with any source IP address
  • Send a series of unrelated TCP packets from the same or varying IP addresses
What can't you do:
  • Receive any responses to your forged messages. The responses, if sent, would go to the forged IP address.
  • Send a string of related TCP packets (e.g. reconstruct an actual TCP exchange). This is because you can't complete the handshake or guess the necessary information to continue the TCP connection.
Scenario #2

The attacker can perform a variety of attacks to forge or take-over the IP address on the same subnet.

Attack Options:
  • Simplest - Statically define your IP address to the target IP address
  • Switch your MAC address to the MAC address of the current NIC for the target IP address and attempt to assume control of IP
  • Execute man in the middle attack via arp spoofing (see tool Cain & Abel) and then gain control of user's unencrypted transmissions. You could likely modify or redirect traffic to accomplish your original spoofing goal.
What can you do:
  • Assume control of the IP address. Note: This means you can send/receive valid data using the targeted IP address as your own. It does not grant you access to existing sessions that the user had with any websites (because you don't have the user's session cookies).
What can't you do:
  • Intercept encrypted (e.g. SSL/TLS) communication destined for the target IP address without alerting the targeted user in some way (browser warning message for MitM invalid certificate).
Hope this is helpful. This is by no means an exhaustive list of attack techniques, but something to consider if your are using IP related controls within an application.


This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.
The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
DHCP Security - The most overlooked service on the network
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction

NeXpose Community Edition - Our First Look

Rapid7 chose to publish a free version of their NeXpose scanner. The software is available for less then a month, and still has to prove itself to the general community. We are publishing the experiences of our first look on this product. The NeXpose Community integrates with Metasploit, and the integration will be covered in the next article.


Installation The installation is simple enough - just run the installer. It asks for a username/password for the web interface, and then installs itself. There are no errors when installing on Windows 7, XP SP3 and Win2003 Server.

First run
Start up on Windows 7 was not successful. NeXpose Community just threw a lot of access denied error messages. As far as i could understand, the access denied messages are because of an attempt to modify the registry which is protected under Windows 7. Even when using Run As Administrator i got the same results.
The run was successful from the Windows2003 server installation. The first start up was extremely slow, it ran for more then 15 minutes configuring and updating itself. After that, the web interface is available for login at https://serverip:3780

First Scan
In order to scan you need to configure a Site, with target IP's within it. You can add several target IP's within the same site. The scanning options include the following scanning templates:

  • Full audit : Performs a full network audit of all systems using only safe checks, including network-based vulnerabilities, patch/hotfix checking, and application-layer auditing. Only default ports are scanned, and policy checking is disabled, making this faster than the Exhaustive scan.
  • Exhaustive : Performs an exhaustive network audit of all systems and services using only safe checks, including patch/hotfix checking, policy compliance checking, and application-layer auditing. Performing an exhaustive audit could take several hours or even days to complete, depending on the number of hosts selected.
  • Penetration test : Performs an in-depth penetration test of all systems using only safe checks. Host-discovery and network penetration options will be enabled, allowing NeXpose to dynamically discover additional systems in your network to target. In-depth patch/hotfix checking, policy compliance checking, and application-layer auditing will not be performed.
These templates and their behaviour cannot be modified in the NeXpose Community.

You can run the scan at scheduled intervals as well as manually. Once you initiate the scan, the scanning engine is very fast, and usually completes Penetration Test scan within 5-7 minutes on a fast link.

Scan Results
The scan results are presented in a very clear manner, for each site separately. The Penetration Test template on a Damn Vulnerable Linux 1.5 with active HTTP target was scanned in less then 3 minutes, and identified the following vulnerabilities
  • PHP Multiple Vulnerabilities Fixed in version 4.4.9
  • PHP Unspecified 'glob' Vulnerability
  • PHP Crafted UTF-8 Inputs Buffer Overflow
  • Apache Signals Sent to Arbitrary Processes Denial of Service
  • PHP session.save_path/error_log Values Not Checked Against open_basedir and safe_mode
  • Apache mod_imap/mod_imagemap Cross-Site Scripting Vulnerability in imagemap File Menus
  • HTTP TRACE Method Enabled
  • ICMP timestamp response
The reporting, although crippled compared to the commercial versions of NeXpose is still very good. You can schedule report generation and sending, and you can configure a baseline for each report - you get comparative results of the changes between the scans. This is very useful for automated scanning and information required by IT Auditors and Information Security Officers.

Conclusions
NeXpose Community is a valuable addition to the free tools that each security professional can use in his/hers work. It is very useful in terms of automated audits, and very interesting that it integrates with the Metasploit Exploit Framework. It still has glitches and issues on some platforms, but all tools are work in progress, so for the time being just add it to your toolset, don't replace any tools with it.

Talkback and comments are most welcome

Related posts
Possible Emerging Player In InfoSec Market?
Nessus vs Retina - Vulnerability Scanning Tools Evaluation
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis
WMI Scanning - Excellent Security Tool

Corporate Guest WLAN - The best place for Eavesdropping to Interesting Traffic

When pen-testing a corporation, always look for the Guest WLAN. If there is one and you manage to get on it, you are in luck!
Corporate Guest WLANs are a great place to get a lot of interesting and possibly confidential information without much effort. And this is simply because there are a lot of corporate laptops on the same WLAN.

Ofcourse, you'll discuss that the corporate devices have wired access to the internet, which is much more reliable and faster. But also, the wired infrastructure is fully controlled by IT - with web filters, content filters etc. So on the guest WLAN you can easily find the following high-profile targets related to the corporation:

  1. corporate laptop holders - usually employees higher in the hierarchy who just got bored from the restrictions of the corporate Internet filters can easily turn on their wi-fi and check the private e-mail, or just download something.
  2. corporate guests - most visitors to corporations have WLAN enabled devices, ranging from mobile phones/pda, over netbooks to full blown laptops
  3. external contractors - a lot of corporations will isolate external contractors to the guest WLAN for internet access.

The following diagram is an example of hunting for interesting targets in the corporate WLAN

The diagram clearly depicts the high concentration of possible high profile targets - marked in red color.

One can always make the argument that the same attack can be made within a Mall, or even in the home networks of those interesting targets. This argument is completely true, but in a Mall your high profile targets are blended in the multitude of the students, casual freebie surfers and even the mall store clerks with their WLAN devices.

And the home environment is even more difficult, because the high profile targets are dispersed all over the city, and you may not know where they reside. So, sniffing the networks one specific high profile target will bring a lot of costs to the attacker.

The following diagram is an example of the difficulties in sniffing for interesting targets in the home or public places WLAN



So, for my money, I'll always prefer to sniff for traffic in the corporate guest WLAN

Talkback and comments are most welcome

Related posts
5 Rules to Home Wi-Fi Security
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction
DHCP Security - The most overlooked service on the network

5 Ways to fail a Social Engineering Pen-Test

A lot of penetration testing assignments include the famed Social Engineering test. When reading about it, or looking the social engineering scams on a TV series it looks very straightforward - you come in all nice and smooth-talking and every door opens for you.

The harsh reality is that a lot of social engineering penetration tests fail, which adds up to increased costs and a failed engagement for the consultant. In the extreme situation, you may spend some hours in the offices of corporate security or even the police, until the pen-test authorizations are verified.

Here are the most common ways to fail a Social Engineering Penetration Test

  1. Come unprepared - Just walking into a company and asking for confidential documents sounds stupid. But trying to perform a social engineering attack on your first visit is even more stupid. Until you do proper amount of recon and research you have no idea what the company relationships are, who is in charge of what and what exceptions or processes may be used to succeed in a social engineering attack.
  2. Just Wing It - Wake up call- you are not Frank Abagnale from "Catch Me if You Can" and you are not Danny Blue from the TV series "Hustle". During a social engineering attack you need to think on your feet and being creative always counts. But not preparing a background story supported by a nice set of evidence is a great way to fail a social engineering pen-test
  3. Be outright aggressive or arrogant - Nobody likes people who are bossy and arrogant. While having an air of authority helps during a social engineering attack, you don't want to start from position of authority with an aggressive approach. That is the best way to get people to close up in the cocoon of procedures and regulations, or they'll simply call your bluff - in both ways you fail. Instead, you need to be friendly, courteous and polite. Maintain your air of authority, but never overuse it.
  4. Choose the wrong person for the job - Social engineering is achieved through appealing to the people's urge to help others. But certain profiles of targets tend to be more helpful to different persons. For instance, a target group of young men will be very helpful to a nice looking woman of their approximate age or just a bit older - to maintain the advantage of implied authority through the age difference. But this same woman is considered a threat by target groups of young women, so for them you need to choose a different attacker. The same principle applies to phone based social engineering attacks.
  5. Dress for failure - In social engineering, always remember that clothes make the man. If you perform a social engineering attack on a bank, you don't want to appear in jeans and sneakers. But if you are performing a social engineering on a software development company, you may actually miss by a mile by wearing suit and tie. Go back to point 1 about preparation :)

Have any more ways to fail, or good examples? Share in the comments!

Related posts
3 Things no book about hacking will ever tell you
5 biggest mistakes of information security
3 rules to keep attention to detail in Software Development
5 Rules to Home Wi-Fi Security

Possible Emerging Player In InfoSec Market?

After the Rapid7 acquisition of Metasploit, things are beginning to shift in the Vulnerability Scanning and Penetration Testing market. The basic trend is one of merging the small independent players into larger organizations with a product portfolio covering a wider area.

Rapid7 published the NeXpose Community edition, which pairs with Metasploit. At this moment it still has some early adoption issues - like problems with working on Windows 7, but these will be resolved.

The NeXpose Community may prove to be a strong adversary to Nessus in the free tools market, and by presenting the possibilities of NeXpose to a wider community it will enter the minds of more potential commercial users.

But apparently the competition is not sleeping either. For around a year, there is a joint discount offer on a set of products by Tenable Networks Security, Immunity Inc and DSquare Security. This set creates a great overall product:

  1. Nessus being the vulnerability scanner
  2. Immunity CANVAS being one of the commercial leaders in penetration testing frameworks and
  3. DSquare enriching the set with additional exploit packs for CANVAS
While this joint offer is not new, with the current moves from Rapid7, it may be quite possible for the other players to join forces for a stronger approach to the market.

What do you think? Is the merger of Tenable and Immunity possible? Will it provide a better product and will the users benefit?

Related posts
Nessus vs Retina - Vulnerability Scanning Tools Evaluation
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis

Tutorial - Alternate Data Streams: The Forgotten Art of Information Hiding

Alternate Data Streams is a feature of the NTFS filesystem. In essence they were created to provide compatibility with HFS, or the old Macintosh Hierarchical File System. The way that the Macintosh's file system works is that they will use both data and resource forks to store their contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details.



How do you create an ADS? Wonderfully easy: All you need to do is have the two files, and then send the file to be hidden to the ADS of the host file with a simple type command:

type file_to_be_hidden> host_file:name_of_file_to_be_hidden

The most frequent use of ADS for malicious purposes is to conceal the executable of a trojan/rootkit as an Alternate Data Stream (ADS) to a perfectly safe file. For instance, once an attacker penetrates a Windows system, he can easily hide the malicious payload for further access into an executable which is fairly frequently used - like Calculator.

Alternate Data Streams may also be interesting as a mechanism to hide and transport information out of an organization:
Once you include an ADS into a file, there is no visible change in filesize of the host file, only the modified date is changed. This makes it quite difficult to detect the Alternate Streamed file. Also, the ADS file does not change the MD5 hash of the original file, which may prevent systems which control file modification through hashing from detecting the hidden file. Here is an example:

C:\Users\user\Desktop>md5sum test.txt
d41d8cd98f00b204e9800998ecf8427e *test.txt

C:\Users\user\Desktop>type image.jpg>test.txt:image.jpg

C:\Users\user\Desktop>md5sum test.txt
d41d8cd98f00b204e9800998ecf8427e *test.txt

One would think that this method of information hiding is great to transfer any amount of information with an inconspicuous carrier file being sent over a network. But there is a catch: most data carriers will ignore the Alternate Data Stream, and here is the summary list:
  • Zip, RAR or ARJ will simply compress the host file and disregard the ADS
  • MIME and Base64 encoding (e-mail) will ignore the ADS entirely
  • FAT32 (mostly used on USB flash drives) will loose the ADS since it's not supported.
  • Steganography programs will read the bytes of the host file and stop at the EOF
  • FTP and HTTP transfer ignores ADS entirely
  • Recording the
But all is not lost. There are still ways to transfer data with ADS:
  • Transferring the host file over SMB network to an NTFS target retains the ADS hidden file
  • Copying the host file to an NTFS file system transfers the ADS hidden file
So the information theft scenario with ADS is mostly available to employees or trusted persons:
  1. The malicious user will create a legal host file and ADS a file with information to be stolen.
  2. He will convince the manager to take the legal file home to work on over the weekend.
  3. Upon the manager's request, even if USB drives are restricted, IT will copy the file over SMB and onto the employee's USB - which is sparkling clean and conveniently formatted with NTFS.
  4. All logs of the transfer will contain the transfer of the original approved file to the USB

What will you do in such a scenario? Talkback is most welcome!

Related posts
Be Aware of Security Risks of USB Flash Drives
5 biggest mistakes of information security

Designed by Posicionamiento Web