On Tuesday the 17th of October 2017, the hackers.mu team had a public podcast on Modem Insecurity in Mauritius. Fifteen minutes after the start of the broadcast, there were already about 30 views from the public. We had over Keshav Purdassea, a student in cybersecurity as guest to ask questions. We also had people asking questions on the Facebook hackers.mu public group.
Logan from hackers.mu made a smart introduction during the podcast about its goal which is informing the public about the vulnerabilities found in Huawei Modem. You can view the video which has been uploaded on youtube here :
Codarren from hackers.mu laid emphasis on several interesting points such as the state of Dnsmasq. He also gave some interesting hints to launch commands on the router which is not similar like a usual Linux Box. He explained how all processes are running as root including Dnsmasq. Codarren recently had a conversation with engineers from Huawei and it’s quite obvious that Dnsmasq is also doing DNS. It was recommended to run Dnsmasq as a non-root user which is one of the best practice in any Linux Box. Someone can craft a DNS packet and run this on the modem with the intention to control it remotely. This security risk needs to be reviewed again.
In addition, I made a brief introduction on the preliminary precaution that can be taken to minimise impact such as deactivating Telnet or even SSH on the router. We also noticed how it’s possible to download the configuration file and decrypt it. All passwords can be seen clearly on the configuration files. The binary aescrypt2_huawei can be downloaded from the hackers.mu Facebook group. Here are the steps to be followed to decrypt it :
We also had Yash Paupiah, President of the UOM Computer Club who made a sensitive point regarding as to whether the patch was supposed to come from Mauritius Telecom or Huawei. After some research, we noticed that there was no patch from Huawei itself.
The whole team of hackers.mu and myself invite you to join our Facebook group and Twitter to keep in touch for our oncoming Live podcasts, Hackathons, Public events etc..
The hackers.mu team which is the first group of Linux and BSD developers in Mauritius invitedPhilipp Buehler, an international cybersecurity expert. He spoke about his experience in cybersecurity and gave recommendations for people interested by the the field or just want to learn new skills in that area. He also emphasised heavily on Network and Security infrastructure, Firewalls, IPS, IDS and several other components. You can view the slide here :
It was an open talk. Several topics such as Fragmentations and Protocol issues were tossed from the audience. One of the interesting topic was on IPS – Intrusion Prevent System. Philipp explain how most of the time if wrongly configured the system does not prevent any attack but instead legitimate packets. Typically, since it is an automated system and usually we have Crons which run at night and based upon some patterns by the IPS, same is interpreted as an attack and finally several IPs are banned and finally we land in a debug session. He pointed out about putting it back to an IDS – Intrusion Detection System. Support of IPV6 to several IDS were proposed as one example for University projects. It was amazing how Philipp re-drew the OSI diagram in a practical way and mentioned the “8th layer”. Another interesting diagram explaining how the Kernel interacts with the CPU, Memory and Disk to illustrate the Userland, the Kernel and the hardwares.
If you think about the number of attacks on the rise in the world, statistics and figures would proved you all. For example, if you think about preventing attacks such as, Man-in-the-Middle attacks, guidance in implementing the right TLS Protocol, formerly called SSL is important. TLS is the security protocol that underlies the web. Passive attacks such as tapping – Monitoring of unencrypted communications, Encryption – Intercepting encrypted information flows, Scanning – Scanning ports connected on the Internet and Traffic analysis – building and processing of information from data analysis are surely on the rise. The RFC 7258 as described emphasised on pervasive monitoring mitigations where possible. Pervasive monitoring is also described as an attack and therefore it is an offence.
In 2017, we had so many cybersecurity disasters – Active attacks such as the Shadow Brokers which claimed to have breached the spy tools of the elite NSA-linked operation known as the Equation Group. We had also the WannaCry which netted almost 52 bitcoins, or about $130,000. The Wikileaks CIA Vault 7 which contains alleged spying operations and hacking tools. The hackers.mu team, clearly reacted on this issue under the Operation Crypto Redemption and submitted several patches and encouraged many Open Source organisations to patch up those vulnerabilities. According to Africa News, only South Africa seem to be impacted. It can clearly be seen that the attackers know which country they are aiming during mass phishing.
AFRICA least hit by WANNACRY – Photo credits Africanews.com
But hey! If you give a thought about it. Did the attackers really aimed Africa? Why Africa was not really impacted? I highly doubt that there was a pervasive monitoring prior to the attack. It may also not be the case due to phishing as it depends who got trapped with the malware. Still phishing on large scale can be behind the intelligence of Pervasive monitoring! On the other hand, Checkpoint demonstrated how the risk is high in Africa with a map below displays the risk index globally (green – low risk, red- high risk risker, white – insufficient data), demonstrating the main risk areas around the world.
Several countries were listed as white due to insufficient data which could account to reliable data about the risk index in the African continent. Of course, it describe active attacks risks in the African continent. Attacks over countries are now evolving. What I mean is that there could be first a pervasive monitoring system which help attackers to move further towards their target for example: When to perform a mass phishing to get more money!
The fundamental of pervasive monitoring remain mostly about building profiles of a person. It is clear that many are vulnerable to these type of attacks due to presence on social media and social networks. A nation can be a target! Staffs from a particular company can be a target! But what is most sensible is when the data from pervasive monitoring has already been processed into meaningful information, attackers can sell those information which cost millions and may be billions of dollars.
Over the past decade, the billion people who live in Africa have experienced the fastest growth the continent has ever seen, and many of its countries (Nigeria, Ethiopia, Mozambique, Guinea) are among the fastest growing in the world. A growing body of evidence backs our view that as Africa’s population doubles to two billion over the next several decades, its GDP will increase from $2 trillion today to $29 trillion in today’s money by 2050. What has changed? Many governments have learnt from their mistakes and seen the positive reform examples not just in Asia, but more importantly in Africa itself, from Mauritius to Botswana and Cape Verde, and now Ghana to Rwanda. In most countries there has been no single reform miracle, like China’s in 1978 or India’s in 1991, but rather a series of small steps which taken together have been just as powerful. – cnn.com
Since Africa is on the edge of a rich economy boom, passive attacks will be on the rise probably from many other countries which will want to invest heavily. But where to invest? How much to invest? The information will be on sale probably from a cheap pervasive monitoring instead of an expensive survey!
We all knew that it is difficult to detect pervasive monitoring. However, I believe that data which had been processed from pervasive monitoring can still be analysed again to understand how it was used. For example: Pervasive data gathered during a previous election campaign comparison with a new election campaign. The dark web is not just being used by individuals. According to Corregedor, private organisations and governments are increasingly using it as a source of threat intelligence.With the threat of cybercrime comes the threat of cyberwarfare, and state-sponsored attacks on multinational corporations or other countries. South Africa, as with any other country, is equally at risk from this kind of threat, Corredegor says, because it is difficult to monitor the dark web for national threat intelligence. – mg.co.za
As first defence, it would be better to adopt TLS to prevent eavesdropping. The use of DNSSEC, SMTP Strict Transport Security and various other security protocols should be taken into consideration. Bear in mind that DNS tells all about you, from where you shop, what you shop online, what web pages you looked out and what you purchased! ISPs should enforced security protocols such as PKIs (Public Key Infrastructure), DANE (DNS Authentication of Named Entities) and DKIM (Domain Keys Infrastructure Mails). Improving internet infrastructure must progress before it is too late. Emails that are not digitally signed are also a good source of data to be processed anew. A simple example of dead.letters can be a source of getting gathering data on the internet.
According to The New York Times, the NSA is monitoring approximately 100,000 computers worldwide with spy software named Quantum. Quantum enables the NSA to conduct surveillance on those computers on the one hand, and can also create a digital highway for launching cyberattacks. A Proof of Concept explained by NetreseC how to detect “Quantum Insert” in the network environment.
One of the various reasons we don’t have much privacy in the online world is that people simply don’t realised the amount of information they leak daily. Worst is when companies leak information of staffs. To resolve such scenarios, since computer today are fast enough, norms to ensure that companies are implementing the use of tcpcrypt can be made mandatory.
Some days back, I was brewing up some plans to optimise my website source codes, HTTP headers, latency and other security aspects. I had to carry out some analysis and research using some tools available on the internet. I should admit that, at first, it looked pretty simple, but it was not. For instance, I did not permit myself to directly modify the production environment. So, I had to migrate it on a pre-production environment. Page caching was yet another issue which could trick oneself after modifications.
Since my website is behind Cloudflare, which is already an advantage in terms of security, performance, reliability and insight, it does not mean that the website cannot be hacked. According to sucuri.net, websites using WordPress CMS are constantly being hacked. Of course, it depends on the mode of attack and the infection impact.
Migrating to TLS
Migrating a CMS which already has several articles posted can be an issue as the URLs are already recorded in the database as well as in the source code itself. Also, there were links on the website which were not pointed on HTTPS. After moving to the HTTPS version, errors such as “Mixed content” could be noticed when accessing the website. One of the interesting free feature of Cloudflare is that everyone can have a free SSL certificate issued by Comodo. You will have to generate your certificate and your private key from Cloudflare and point it on your Virtual Host.
Some corrections on WordPress source code needed to be added in the wp-config file as follows:
On top of that, there seemed to be lots of URLs on the database itself that needed corrections using the following commands:
update wp_options set option_value = replace(option_value, ‘http://www.tunnelix.com’, ‘https://www.tunnelix.com’) where option_name = ‘siteurl’;
update wp_posts set guid = replace(guid, 'http://www.tunnelix.com', 'https://www.tunnelix.com');update wp_posts set post_content = replace(post_content, 'http://www.tunnelix.com', 'https://www.tunnelix.com');
However, there are some tricks to identify those non-HTTPS URLs by making a dump of the database and do a “Grep” in it, followed by a “Sed” to eliminate those unwanted parameters. Once the “Mixed Content” errors have been identified, I launched a scan on the Qualys SSL Labs website. The result was an “A+”. You can also use the Htbridge free SSL server test which is pretty fascinating especially to verify PCI DSS Compliance, HIPAA compliance, NIST guidelines and industry best practice in general. If all those criteria have been met, then you would score an “A+” rather than an “A” or worse a “F”.
Source code optimisation and Page speed verification
This can be verify using the GTmetrix tool available for free online. I noticed that my rank was a “C”. This was caused due to lack of minified HTML and CSS, and Image dimension. To handle the minify HTML errors, I enabled the plugin Minify HTML Markup on WordPress itself which corrected these errors. To tweak the Image dimension i downloaded the tool Optipng from Epel repository:
For example, if you want to optimize a specific image, use the following command:
Another verification was made on GTmetrix website and i noticed that the result was then an “A”
Tweaking the Web server HTTP headers
Htbridge will surely give you an overview of the web server security and will accompany you step by step to get a better result.
Of course, since the website is behind cloudflare, it is limited to certain security tweaks such as Public-key-pins.The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of Man-in-the-Middle (MITM) attacks with forged certificates. I found an interesting article on https://raymii.org which explained how to activate the HPKP.
Once you are in possession of your certificate and Private key, you can create the public key and a token will be received to activate the HPKP extension. The following commands can be used to get the token and the public key.
However, it looked that HPKP is not supported on Cloudflare. But, there are other issues such as HSTS. HTTP Strict Transport Security (HSTS, RFC 6797) is a web security policy technology designed to help secure HTTPS web servers against downgrade attacks. HSTS is a powerful technology which is not yet widely adopted. CloudFlare aims to change this. I enabled it as per recommendations by Cloudflare.
A curl on the url https://tunnelix.com now prompts the following headers :
No system is perfectly secure, but I believe that these modifications are worth to adventure around. I should say I was really impressed by free tools such as the Qualys SSL test, HTbridge free SSL and Web security test and Gtmetrix in terms of page speed.
Hello Tunnelers, this is my first article for the year 2017, I seize this opportunity to wish my readers a Happy New Year 2017 and wish you all lots of prosperity. – TheTunnelix
Some days back, i received an invitation to attend an online course by Varonis on Web Security Fundamentals which has been conducted by Troy Hunt. I should say though this course is for beginners, its worth watching and pretty interesting. Troy Hunt is a security developer and author of PluralSight tutorials. You can join the course at Web Security Fundamental on Varonis website.
Some world biggest data breach examples were enumerated at the beginning of the mini course followed by some statistics and the impact of web security. The following points were enumerated:
Insufficient Transport Layer Security
Insecure Password Storage
Cross site Scripting (XSS)
Weak account management
The course composed of the impact of the risk, how it works with examples and demos as well as defense techniques to be used to strengthen the system.
An example given using tool such as Havij to automate SQL injection. This tool is a GUI pretty straight forward such as to enter the URL, followed by the tables, columns etc.. to retrieve information from a database. This will result in leaking of information from a website is same is not secured. Several ways to defend against SQL injection attack is to :
Validate untrusted data – Has the user provided valid input to the system?
Parameterize queries – Seperate the query and the data
Lock down the Database permission – Apply the ‘principle of least permission’
Apply ‘Defence in depth’ – Web application firewall and cryptographic storage
Transport Layer Security
This part was elaborated on the lack of encryption on network layer such as missing HTTPS security, especially how the risk manifest. An example of a key logger was used to retrieve information from a web page. Defense of such type of attacks were emphasized on the following points:
Apply TLS – Literally apply TLS to encrypt by default
Strengthen TLS – Ensure it is a strong implementation of TLS
Lock down Application – Use construct that disallow communication over insecure connections.
Apply the same control internally – Attacks on the Transport layer can occur behind firewall too
Insecure Password Storage
Encryption and Decryption mechanism need to be mastered at this level as this is the basic concept of preventing attacks on insecure password storage. An example of brute force attack was demonstrated. One of the tool is Hashcat which was used as proof of concept. To prevent such types of attacks:
Always hash and never encrypt – This work on the assumption that the entire system may be compromised.
Choose the right algorithm – Get the balance between workload and performance right.
Enforce password rules – Stronger password are significantly harder to crack.
Encourage strong password – Do not place arbitrary limits on password strength
Cross-Site Scripting (XSS)
A demo was shown on this aspect using a “search” example on a website search engine. The aim is to search mechanism that can be exploited.
Defense against such type of attacks were on the following points:
Validate untrusted data – Has the user provide valid input to the system?
Always Encore output – Ensure that any reflected input is rendered in the browser
Protecting cookies – Flag cookies as ‘http only’ so they cannot be accessible by client script.
Weak Account Management
To manage weak accounts, the following factors need to be taken into consideration:
Poor password rules
Lack of brute force protection
Insecure ‘remember me’ feature
Vulnerable password change feature
Enumerable password resets
Here are some tips against account enumeration attacks:
Always respond identically – Return the same message to anonymous users
Use email for verification – Email the address and confirm or deny account existence there
Consider other enumeration vectors – Login and registration are other common channels for disclosure.
Consider the risk in context – Different application have different levels of privacy expectation.
To resume, its important to grasp the fact that good security is ‘defense in depth’. Security needs to be considered in the context of cost as well as usability as many of these attacks provide vectors into the internal network. Security goes well beyond. The tutorial ensures that questions are being asked at all levels to ensure security such as:
Is access to data logged and auditable?
Do you have visibility to resource accessible via access controls?