OWASP AppSec Research EU 2012
Two years ago, around February I found myself sending a mail regarding AppSec Research EU 2010. It was a mail to John Wilander , chair of the organizing committee , asking to be a volunteer for the conference. Back then I was still a M.Sc. student leaving abroad and this was more or less my only chance at attending. I had “met” John when he came to give us a lecture on Web Application security in DSV for a course I was taking at that time. In another course, the course literature included Software Security : building security in by Gary McGraw . To cut a long story short, I ended up attending the conference as a volunteer, helped around with all kinds of stuff before and during the conference days and had the opportunity to attend quite a few interesting presentations.
Fast forward to 2012 , I found myself sending another mail regarding OWASP AppSec Research. This time it was a submission for the CFP for a presentation/demo on locational privacy and cree.py, titled : “The cree.py side of geolocation. Weaponizing your check-ins. “ . Yesterday I got a reply that it was accepted. It was accepted in a conference where Gary McGraw is giving a keynote, and John Wilander is presenting his “Advanced CSRF and Stateless Anti-CSRF” talk. These two are just an example of the cool people and presentations that will be around, I just mention only these as they play a part in my story.
I feel extremely happy, humbled and privileged to be given such an opportunity. It’s not that “I’m there” or “I’m getting there” , wherever and whatever this “there” is. It’s just a small personal “victory”, a very own #WIN moment to realize that what sometime ago was just an abstract idea in my mind, became a project I will talk to people about in a conference like AppSec Research. I hope I can deliver an interesting, fun and educational talk and more importantly get to hear what other people will be presenting, mingle and get a feeling of the community. The trip to Athens will be an extra Bonus 🙂
Well, see you in Greece in July !
Honey, I canceled the laundry. – No factor authentication
How would you feel if you couldn’t wash your clothes ? Like , never ? Well, there’s a (web)app for that !!!
Let’s take things from the start : This post applies to people living in student accommodation offered by SSSB ( Striftelsen Stockholms Studentbösteder ) in Stockholm, Sweden. Well , most of them actually, specifically the ones in which the electronic lock and booking system provided by aptus has been installed already.
The situation : In the aforementioned housing establishments, external (and some internal ) ordinary door locks have been replaced with electronic proximity readers and keys . Those proximity keys are also used for booking (laundry) services , offered by the same company. Basically, when one needs to book a slot in the laundry rooms , he/she accesses the control unit, uses his/her proximity key to activate it and book the desired time slot. As advertised in the company brochures: “Communication between control unit and booking board is encrypted using 32-bit keys.” I’ll leave out the discussion about cloning proximity keys/cards, as it is irrelevant to the point of this post. For the time being, let’s just all assume that the proximity keys are clone-proof , the 32-bit key sufficient, and the communication is tamper-proof as implied.
The problem : SSSB, trying to be tech-savy and helpful , offers another way to access the booking system , provided again by the same company. It is a web application, built on asp.net where users can login and manage their bookings ( book, cancel , view ) without having to physically access the installed control unit. Hm, so what is the problem , you might ask. Login credentials. Aptus portal uses a username/password authentication system , which , although not without all the potential password related problems ) can be considered a safe practice . I copy wikipedia’s wording : ” A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource (example: an access code is a type of password). The password should be kept secret from those not allowed access.” (emphasis is mine) Well, SSSB went a bit over in their attempt to make things easy for users, providing themselves the username and password. What’s worse ? The username and the password is the same string. What’s worst ? The password is not secret, publicly available in many cases, and in worst case easily deduced. The string used as a username and password in the system is the object number of the apartment ( Hyresobjekt ) which is a 11 digit string in the form of abcd-efgh-xyz . The abcd part is the 4-digit code of the housing area ( for example , Lappkärrsberget has 7404 , Jerum has 1106 e.t.c. ) . The efgh part is somehow (not in a consistent manner from what I’ve seen ) deduced from the street number of the building and the floor number of the room ( en example room has 1308 because the address is xxxxxx 13, and it is on the seventh floor . The rooms on the sixth floor have 1307 and so on and so forth ). Lastly the xyz part is deduced from the room number inside the floor. Some correspond to the actual room number , so if the room number is 11 the code is 011 , some are deduced from some older ordering I guess . My room’s xyz part doesn’t correspond to my room’s number, but it corresponds to my kitchen cupboards number, which I suppose is a left-over from previous numbering schemes. Taking into consideration that the room’s object number is publicly available in the SSSB’s website when the room is open for biding , and that especially in some periods like August , SSSB updates the available rooms every 3 days, it shouldn’t be really difficult to deduce all the possible object numbers for all the apartments in SSSB premises. Worst case scenario, with only the abcd part available for each housing area , one could fire up his THC Hydra and get the valid object numbers from the successful logins. ***I’m not suggesting that you should go and do that ***.
Sure it’s not a life threatening issue , but it just comes to show how easily sophisticated access control systems can be circumvented due to bad design and implementation solutions. Your neighbor had a party at the night before your exam ? Well, no laundry for him in the next month ! Or worse, consider an automated script changing laundry booking times every hour for all the students leaving in SSSB ( That was up to 7000 rooms in 2000, sssb doesn’t have updated statistics but I guess it’s valid to argue that it is more than 10000 people ) . Really not convenient . 10000 students walking around with dirty clothes in the trendy and fashion-victim Stockholm , shouldn’t be that much fun ! One can go a bit further in the paranoia zone and claim that valuable information about the whereabouts of a tenant can be determined from the laundry bookings ( time of day that he/she is at home e.t.c. )
The solution : The solution isn’t that hard to implement. SSSB already has an authentication system for the website and a general sssb account, based on the personal number of tenants and a password. How hard can it be to connect that to the booking portal ? I contacted SSSB in October 2010 but after the kind reply from the helpdesk thanking me about my thoughts and assuring me that it will be forwarded to the people managing the system, nothing has been done , so I guess it’s fair to come out with the issue and let all interested parties know. I , for one, am already irritated enough by my bookings moving time slots “by themselves” often enough.
Keep clean 😉
Harvesting google profiles
Some minutes ago, I saw an interesting tweet from Mikko H. Hypponen saying that he found out that all (yes, as in ALL – 35,513,445 ) google profiles addresses can be retrieved from a single XML file . Looked through it and , yeap, he was quite right.
Well , all these information is going to be useful somehow ,right? Right. In case it’s going to be removed here is a simple way to harvest them before that happens :
#!/usr/bin/env python import urllib from BeautifulSoup import BeautifulStoneSoup as bs xml = bs(urllib.urlopen('http://www.gstatic.com/s2/sitemaps/profiles-sitemap.xml').read()) for i in xml.findAll('loc'): try: urllib.urlretrieve(i.text, i.text[35:]) print 'Downloaded %s' % i.text[35:] except Exception, err: print '%s could not be retrieved' % i.text print 'All done'
That’s it, save it , run it and wait 🙂 Not that I used it, but I calculate that you get around 1.7 GB worth of profile links .
Well , the juicy part is obviously the harvesting of the information from the profiles themselves. People are mentioning on twitter that Google is aware for a long time, or at least should be. Thoughts about the potential implications from that harvesting, on a blogpost to come .
OMNeT++ and Oversim on Ubuntu Maverick
OMNeT++ is a C++ simulation library and framework, primarily for building network simulators and oversim is an open-source overlay and peer-to-peer network simulation framework for OMNeT++ . I will be using it for simulations related to my MSc thesis , so I tried to install it and get everything working a while back. There were some small problems with the installation flow which , however easily solvable in the end, caused a couple of lost hours. So I wanted to note it down for future reference and in case anyone else finds it useful .
The goal is to install OMNeT++, the patched INET framework needed by oversim and oversim itself. So let’s start with
OMNeT++
create a dir to hold all the programs .i.e ~/simulations
Grab the tar.gz from the website , and unpack it to ~/simulations. The documentation is pretty straight forward regarding dependencies and other details. Install the required packets with :
sudo apt-get install build-essential gcc g++ bison flex perl \ tcl-dev tk-dev blt libxml2-dev zlib1g-dev openjdk-6-jre \ doxygen graphviz openmpi-bin libopenmpi-dev libpcap-dev \ tk8.4-dev libgmp3-dev blt-dev Â
Now before compiling omnet++ you will need akaroa . Register and download it, unpacking it to ~/simulations also. The problem with gcc 4.4.4 that was mentioned in omnet++ install guide seems to be fixed with gcc 4.4.5 but still if you try to compile you will get errors like the following :
/bin/sh: pushd: not found
This has to do with /bin/sh being linked to /bin/dash instead of /bin/bash in ubuntu’s latest releases. To fix it once and for all do the following:
# rm -f /bin/sh # ln -s /bin/bash /bin/sh
Now cd to the akaroa dir , and compile it with ./configure && make && make install as usual.
NOTICE that if you are on x86_64 you need to add -fPIC to the compile options for akaroa, otherwise omnet++ compilation will fail later. To do that , go to the file src/Makefile.main and add -fPIC to the options on lines 110 and 114 so that it becomes like this
%.o:Â Â Â %.C @echo Compiling $< @$(CPLUS) $(CPLUS_FLAGS) -c $(INCLUDE) -fPIC $< -o $@ %.o:Â Â Â %.c @echo Compiling $< @$(CC) $(CC_FLAGS) -c $(INCLUDE) -fPIC $< -o $@
Next go back to the omnet++ unpackaged dir. You need to add omnet’s bin dir to your path, the way to do it permanently is to add the following line to your ~/.bashrc file (assuming you followed the file structure I suggested , if not edit accordingly)
export PATH=$PATH:$HOME/simulations/omnetpp-4.1/bin
Now compile omnet++ with ./configure && make && make install . To verify that it was successful , go to samples , run the demo and choose any of the available ones.
Patched version of INET framework
Grab the archive from here and unpack it in the ~/simulations directory.
run make in the directory
Oversim
Grab the archive from here and unpack it in the ~/simulations directory.
run make in the directory
That’s it, you should be ready now !
Introducing creepy …
or “The birdy told me where you’ve been” .
Creepy – A geolocation information aggregator
Background:
Well, privacy concerns with regards to information shared across social networking platforms is not something new. At the same time it doesn’t get old also. I will spare you the links session, google can fetch all the papers , articles you ll ever need. Location awareness is rolled out not only in platforms created for that reason ( foursquare, gowalla ) but also in facebook ( call me places ), twitter ( location feature(?)) . Moreover as was shown here , almost a year ago, by Johannes B. Ullrich (@johullrich) users tend to ( even unknowingly ) share their location via EXIF tags in the pictures they share with everyone on image hosting services. Then came PleaseRobMe and iCanStalkYou which really helped to made the point clear.
What :
Creepy is a geolocation aggregator. It searches for a users geolocation information that he/she has shared publicly in the social networking platforms that he/she uses. In the version released , twitter, flickr, foursquare (through twitter ) and a list of image hosting services are supported. You feed creepy with the twitter username and/or flickr id of the user and it retrieves all the locations the user has shared. Locations are determined by
- Location information on twitter
- foursquare checkins
- exif tags from pictures uploaded to a number of image hosting services and posted to twitter
- geolocation information from photos posted on Flickr
Locations are presented as a list and are also shown in an embedded map ( courtesy of the awesome osmgpsmap widget) . For each location, the context is also presented ( i.e. the text that the user tweeted ) . Features include automatic caching of discovered information ( retrieved tweets, determined locations ) in order to minimize API calls to twitter and flickr, and a (not so nice) GUI in pygtk.
Why :
Well , I have had the idea since I first read the article by Dr . Ullrich. Then came icanstalkyou and pleaserobme , but it was not exactly what i was thinking about.
Ok, the goal is double. First , to raise awareness . By making the process of retrieving and analyzing all the shared location-specific information that users share , easy and automated , I hope to make clear how easy it is for someone to stalk you, rob you, find out where you ve been and why e.t.c. It’s not worth to rewrite how one can defend himself and control the information he is sharing so I ll provide a link to the instructions posted on icanstalkyou about disabling geotagging in smartphones and see here about how to enable/disable the location feature in twitter.
The second goal is to create a tool to add in your social engineering toolbox. The ethics are a bit blurry , so I just want to state that I do not endorse stalking or any other form of use of creepy for malicious purposes . What the app does is to aggregate information already publicly shared . If you find that useful, you’ re welcome to use it 🙂
Screenshots :
Here are some screenshots of creepy in use
Where :
You can find creepy on github . I can count on the fact that there are many bugs lurking around, so use the tool , find them, and I’ll promise I’ll fix them soon enough . Enjoy !
Network forensics afternoon
Well, strange things happened today . While working on a project , I noticed a strange high incoming network traffic on the system monitor of my ubuntu machine. High, as in ~8MBps with small bursts that lasted some minutes and produced ( according to system monitor again ) a total download traffic of 1.9 GB .
As you can imagine I was pretty surprised , I was sure I was not running anything that could cause such amounts of traffic . The applications running at that time were skype, firefox , thunderbird and Aptana studio none of which could result to that kind of traffic (I had only one tab open in ff at the time , pointing to KTH website , and Aptana’s automatic update process needs user confirmation in order to download updates) . My first reaction was to run netstat , which produced uninteresting results , typical ESTABLISHED connections by thunderbird to the imap servers it was supposed to, a connection to ip 174.129.193.12 initiated by an application recognised as “python” ( which was actually the ubuntu one client ) , one regarding skype and one regarding ff as expected more or less. I didn’t keep the output somewhere but I’m pretty sure I didn’t miss anything there. As I was gradually getting from surprised to worried since the traffic seemed to continue at approx the same rate, I fired up wireshark and started capturing my wired interface. Couple of minutes after that the traffic stopped and I haven’t noticed anything peculiar since.
So I started to check the capture , trying to find the stream that produced the traffic I observed. From a first look there seemed to be many long UDP flows from different IP addresses (various high ports) to a specific IP address (not my interface’s though) on port 51508 . The destination address is in the same subnet as mine and I have confirmed that is up and port 51508 (among other high ports is open). This smelled like bittorrent traffic from distance . To confirm , here is what a random packet of that stream looked like :
0000 0c 60 76 61 69 98 00 12 bf d9 bf 65 08 00 45 00  .`vai... ...e..E. 0010 00 83 5f cc 00 00 0e 11 8f 96 18 71 f4 7d d5 67  .._..... ...q.}.g 0020 da b1 fb 21 c9 34 00 6f fd 34 64 31 3a 61 64 32  ...!.4.o .4d1:ad2 0030 3a 69 64 32 30 3a 49 b8 74 ec 25 bf d6 64 bc 10  :id20:I. t.%..d.. 0040 b8 94 e1 60 fd 59 b8 b0 45 15 36 3a 74 61 72 67  ...`.Y.. E.6:targ 0050 65 74 32 30 3a 49 b9 33 f4 ee 98 e2 29 bd 70 f2  et20:I.3 ....).p. 0060 a3 95 7b de d5 05 8d 38 01 65 31 3a 71 39 3a 66  ..{....8 .e1:q9:f 0070 69 6e 64 5f 6e 6f 64 65 31 3a 74 34 3a 84 8c 00  ind_node 1:t4:... 0080 00 31 3a 76 34 3a 55 54 57 b2 31 3a 79 31 3a 71  .1:v4:UT W.1:y1:q 0090 65                                                e
which is actually a find_node DHT QUERY as described here . While this sort of explains the nature of the traffic , it doesn’t explain
a) Why was I apparently receiving this traffic when I was not supposed to in the first place .
b) If I was receiving the traffic, what was it and where was it stored in my machine.( remember we are talking about ~2GB of data.)
To start with b) I didn’t remember the last time I checked how much space i was using on my disk, but the current usage percentage didn’t seem alerting by itself. So , this is where find(1) came in handy
~$ find . -type f -mmin -120 -printf '%p %s \n'
didn’t reveal anything interesting although. There were a bunch of files modified in the past 2 hours , but none of them seemed suspicious or modified with no reason.
as to a)Â I can only make wild guesses. One detail that might be interesting is that yesterday all the switches in the building were replaced so to support the 100/1o we are ow offered (hence the 8,4 MBps in the beginning) .It doesn’t look like an ARP attack , according to the capture. But what kind of misconfiguration would have these kind of results ? I can see a lot of packets addressed to other hosts. CAM table overflow at the switch ?But why I was seeing the traffic in the system monitor ? Shouldn’t those packets be dropped by my NIC ? It wasn’t in promiscuous mode before I ran wireshark .
So ? Comments, suggestions , answers to the questions ?
WE Protect not.
Yes, WEP is deprecated , proved to have some really nasty flaws , old story right ? Searching for “wep crack” in Google brings some 1 million results.A very nice explanation of why WEP is insecure can be found in this book . There is really no interest in discussing the matter anymore.
The interesting part of the story is how many people are still using WEP despite all that. Reasons vary from users ignorance to vendors’ continuing support of WEP in home routers/AP products e.t.c . Moving around the last 2 years I was always surprised by how many WEP – “protected” wireless LANs one can find in every city/neighborhood. The days when cracking into those was a challenging process are long behind , what I find interesting is having an overview of the amount of WEP usage in any given circumstance. Hence I came up with the following python script that takes advantage of the iwlist utility from the wireless-tools package and provides an overview of the usage of WPA/WPA2 and WEP in the wireless LANs that are detected.
It needs the pyparsing module (python-parsing package in debian/ubuntu)
#!/usr/bin/env python import subprocess from pyparsing import Literal, SkipTo, OneOrMore def wepPercentage(output): last_line_a = Literal('Group')+SkipTo(Literal('\n').suppress()) last_line_b = Literal('Authentication')+SkipTo(Literal('\n').suppress()) start = Literal('Cell')+SkipTo(Literal('\n').suppress()) end =OneOrMore(Literal('IE: ')+SkipTo(Literal('\n').suppress()))+~last_line_a|(last_line_b+~Literal('IE:')) line = ~end + SkipTo(Literal('\n').suppress()) expr = start+OneOrMore(line)+end wpa_count = 0 wep_count = 0 unenc_count = 0 for l in expr.searchString(output).asList(): li = ''.join(l) if 'Encryption key:on' in l: if 'WPA' in li: wpa_count += 1 else: wep_count += 1 else: unenc_count += 1 tot = wpa_count+wep_count+unenc_count print "WPA / WPA2 :%d  Percentage : %d %% " % (wpa_count, (wpa_count*100/tot)) print "WEP :%d  Percentage : %d %% " % (wep_count, (wep_count*100/tot)) print "Unencrypted :%d  Percentage : %d %% " % (unenc_count, (unenc_count*100/tot)) if __name__ == '__main__': process = subprocess.Popen('iwlist wlan0 scan', shell=True, stdout=subprocess.PIPE) output = process.communicate()[0] wepPercentage(output)
I live in a rather densely populated student dorm in Stockholm and at the time my output is something like :
WPA / WPA2 :28Â Â Percentage : 82 %
WEP :6Â Â Percentage : 17 %
Unencrypted :0Â Â Percentage : 0 %
almost 20% of all people here that use some kind of wireless router , chose WEP . Great 🙂
How about your neighborhood ? Feel free to share percentages .
ps. It would probably be easier to use python’s re module instead of pyparsing . But I needed to use pyparsing for a project so I thought i d get my hands dirty with it anyhow.
ps2. It can probably be done in 5-6 lines in a bash shell using awk too .
“Hello World” or “Oh mum, what a complex World”
Hello World is a typical example of a small program used as an introductory tutorial for all programming languages. It has also evolved to act as an introductory act for blogs as well . WordPress creates a “Hello World” post automatically when creating a blog. Anyway you got the point. Given that one would imagine that a Hello World in any given language is a fairly simple piece of code. And it usually is. But simple to write doesn’t necessarily mean not complex.
McGraw[1] defines software complexity as one of the three factors in the trinity of trouble for software security. The other two are connectivity and extensibility.
So we have a simple HelloWorld code snippet in Java :
public class Hello { /** * @param args */ public static void main (String[] args) { // TODO Auto-generated method stub System.out.println("Hello World!"); } }
Fairly simple right ? Can you imagine how many system and library calls this program makes while executing ?
System Calls :
ilektrojohn@securebook:~$ strace -c -f -q java HelloHello World!upeek: ptrace(PTRACE_PEEKUSER,19107,120,0): No such process% time   seconds  usecs/call   calls   errors syscall------ ----------- ----------- --------- --------- ----------------100.00   0.044222     533     83     3 futex  0.00   0.000000      0    632      read  0.00   0.000000      0     2      write  0.00   0.000000      0    109     61 open  0.00   0.000000      0     49      close  0.00   0.000000      0     58     28 stat  0.00   0.000000      0     44      fstat  0.00   0.000000      0     50     1 lstat  0.00   0.000000      0    598      lseek  0.00   0.000000      0    125      mmap  0.00   0.000000      0     51      mprotect  0.00   0.000000      0     20      munmap  0.00   0.000000      0     10      brk  0.00   0.000000      0     27      rt_sigaction  0.00   0.000000      0     42      rt_sigprocmask  0.00   0.000000      0     18     16 access  0.00   0.000000      0     2      sched_yield  0.00   0.000000      0     2      socket  0.00   0.000000      0     2     2 connect  0.00   0.000000      0     11      clone  0.00   0.000000      0     2      execve  0.00   0.000000      0     1      uname  0.00   0.000000      0     4      fcntl  0.00   0.000000      0     1      ftruncate  0.00   0.000000      0     6      getdents  0.00   0.000000      0     1      getcwd  0.00   0.000000      0     1     1 mkdir  0.00   0.000000      0     1      unlink  0.00   0.000000      0     4      readlink  0.00   0.000000      0     4      getrlimit  0.00   0.000000      0     3      getuid  0.00   0.000000      0     2      getgid  0.00   0.000000      0     3      geteuid  0.00   0.000000      0     2      getegid  0.00   0.000000      0     2      arch_prctl  0.00   0.000000      0     1      setrlimit  0.00   0.000000      0     12      gettid  0.00   0.000000      0     24      sched_getaffinity  0.00   0.000000      0     2      set_tid_address  0.00   0.000000      0     1      clock_getres  0.00   0.000000      0     13      set_robust_list------ ----------- ----------- --------- --------- ----------------100.00   0.044222          2025    112 total
Library Calls
ilektrojohn@securebook:~$ ltrace -c -f java Hello Hello World! % time   seconds  usecs/call   calls    function ------ ----------- ----------- --------- --------------------  91.11   0.126965    126965     1 pthread_join   1.68   0.002335      53     44 fgets   1.50   0.002085     2085     1 dlopen   0.73   0.001015      59     17 JLI_MemAlloc   0.52   0.000727      45     16 JLI_StringDup   0.37   0.000522      43     12 strcspn   0.37   0.000515      42     12 strspn   0.37   0.000511      28     18 strlen   0.36   0.000498      33     15 JLI_MemFree   0.30   0.000422      38     11 getenv   0.27   0.000372      46     8 sprintf   0.25   0.000343      42     8 strrchr   0.21   0.000295      36     8 strcat   0.19   0.000260     130     2 fclose   0.17   0.000233     116     2 fopen   0.16   0.000224     112     2 readlink   0.14   0.000196      98     2 getuid   0.14   0.000191      95     2 access   0.13   0.000182      91     2 __xstat   0.12   0.000161      80     2 getgid   0.11   0.000154      77     2 geteuid   0.11   0.000152      76     2 getegid   0.10   0.000136      27     5 strchr   0.08   0.000116     116     1 pthread_create   0.08   0.000115      57     2 memset   0.07   0.000103      51     2 strcpy   0.07   0.000102      51     2 strncpy   0.07   0.000095      47     2 JLI_FreeManifest   0.06   0.000086      43     2 fflush   0.04   0.000059      59     1 putenv   0.04   0.000057      57     1 pthread_attr_destroy   0.02   0.000034      17     2 dlsym   0.01   0.000018      18     1 pthread_attr_init   0.01   0.000016      16     1 JLI_WildcardExpandClasspath   0.01   0.000016      16     1 strncmp   0.01   0.000014      14     1 pthread_attr_setstacksize   0.01   0.000014      14     1 getpid   0.01   0.000013      13     1 pthread_attr_setdetachstate ------ ----------- ----------- --------- -------------------- 100.00   0.139352          215 total
You can get the drill, complexity is a beast. Ah, and I almost forgot : Hello world 😉
[1] Gary McGraw (2006). Software Security, Building Security In. Crawfordsville, Indiana: Addison-Wesley Professional. p7-10.