Tag: security

cyberstorm.mu is promoting Signal

“Going further and beyond” –  That’s the motto of cyberstorm.mu. Indeed, there are many people everywhere calling themselves professionals where the fact is that they are merely wearing a mask showing off in the public. I would also claim that no one is perfect in the field of It and Security, however, acceptance of oneself and move on to another stage is the real goal.

photo credits: cyberstorm.mu
photo credits: cyberstorm.mu

What and why Signal? I posted an article yesterday to elaborate on the application. Well, cyberstorm.mu is not only promoting Signal but many free and open source security software such as Tor, Bitcoins and many others to liberate each and everyone from this sick society where governments are spying on your personal stuff. I made some research on Signal and conclude that this is indeed amazing!

With the help of Logan, member, and contributor of cyberstorm.mu, I made an audit of the Signal code and noticed that some improvements can be made on one of the libraries. A remote hacker can probe the memory and harvest the sensitive information.

The logic  – Data (an example could be cryptographic keys) in memory is not always needed because someone can look for ways to exploit the data. An analogy is that it’s like washing your keyboard after entering your password so that people cannot collect your fingerprints to steal it. In other words, a code execution can be done at the memory level to penetrate your system. To mitigate this attack, zeroing buffers which contained sensitive information is an exploit mitigation technique. Let me take an example: Imagine you are a hacker and you can see what is in the RAM of your victim. Then you can see passwords and everything else. Then it’s better to delete them if they are not going to be used or rather fill it in with wrong passwords to trick the hackers.

In a technical term, the idea is to overwrite the variable when you are about to get rid of it so that other programs cannot detect what was there. The key is not to have the secret data present in the memory longer than necessary. However, what you overwrite might matter, but what is overwritten is the key to keep it secret. So let’s see how to put Zeroes in RAM to erase what was there before. Keep in mind, it has nothing to do with overflows.

Do check out the pull requests and commit at https://github.com/WhisperSystems/libaxolotl-c/pulls

Dare to do a brute force attack again!

Dare to do an SSH Bruteforce attack again and you are banned!! I have noticed that there are several DDOS SSH botnets attack these days on my server. Despite that I would prefer SSH to listen on port 22, I can imagine how many attempts can be made to break through it. Though these attacks are very common, it can increase CPU consumption on your server and consequently the server can die. However, if you did not protect the server from malicious SSH remote connection, things can get pretty dangerous and the attacker can take over the machine.


fail2ban
Photo credits – fail2ban.org

Fail2Ban is one of the tools which you can install on your machine to ban IPs that show malicious signs. However, today with the help of Kheshav, we have decided to find a solution to reveal all the IPs to the public. From the fail2Ban log, we can find all IPs that that are being banned. The solution was an easy one.



1.Install Nodejs, npm package

yum install nodejs npm

2. Install frontail with the npm utility

npm install frontail -g

3. Now you can launch frontail on any port as a demon with the following command

frontail -p {port number here} -h {IP or Hostname here} {location of your log} -d

Afterward, you have to include the IP, the port number and the location where you want the log to be streamed live.

Here are the banned IPs – US time attempting some brute force on tunnelix.com. You can also view the IPs on the right side widget of the blog. It might take some few seconds before loading.



There are several websites where you can report IPs for abuse as well as verification of precedent attacks. We are still brewing up some ideas to produce a better and well-defined output of the log.

ZeNmap – The classic way of Nmap

Nmap is a free and open source utility for network exploration and security auditing whilst ZeNmap is a multi-platform graphical Nmap frontend and results viewer. It was originally derived from Umit which was created as part of the Nmap/Google Summer of Code program. ZeNmap is compatible with almost all types of Operating system. I have tested ZeNmap on Ubuntu and FreeBSD and it works pretty fine.


Some basic ‘nmapping’ funs from my Kali Linux Box

Look for visible IP in your network –  nmap -sP 192.168.1.0/24

Check the number of ports opened – nmap -Ss 192.168.1.0/24

Find the operating systems being used in the same network – nmap -O 192.168.1.0/24

You can even check the ACK bit during the TCP handshake authentication – nmap -sA 192.168.1.0/24


Screenshot from 2015-10-19 19:02:35
Tested with instances of several OS running on Vbox


Of course, the world of Nmap is so vast that you will need to go through the Manual to design your own way of exploring the Nmap command. There are many features and capabilities such as Hosts identification, Port scanning, Interrogation of network services, OS detection etc.. How does Nmap work? Since every hosts or device are connected to a network and has some network ports open and is consequently waiting for connections, the Nmap tool initiate connection to the 1000 most used ports whether it is open responding to an incoming connection, closed and has no service running but can respond to probes, filtered; i.e protected by a Firewall, unfiltered; post can be accessed but no chance to determine if its opened or not and the last one is the open/close filtered.

ZeNmap - The classic way of Nmap 1

What is more interesting is the ZeNmap tool where you can scan network using GUI. At this level, parameters are defined like Paranoid, Sneaky, Polite, Normal, Aggressive and Insane.


Screenshot from 2015-10-17 11:37:21
A paranoid scan performed here

 ZeNmap can also be used for firewall evasion techniques, source address and port spoofing, setting flag values on both IP and transport level. Results are also shown through a Map.

Screenshot from 2015-10-20 05:54:29

A brief description of the fopen PHP vulnerability

One of the PHP vulnerability that is still being found on many websites is the fopen function in PHP – CVE-2007-0448. You can secure your website by disabling includes when calling the fopen function.


According to cvedetails.com “PHP 5.2.0 does not properly handle invalid URI handlers, which allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files via a file path specified with an invalid URI, as demonstrated via the srpath URI”

A brief description of the fopen PHP vulnerability 2

It’s usually not recommended to enable the fopen function in the php.ini, however, some developers include it in the code itself for a specific task. Let’s see how this is exploited:

Let’s say we have a page called vulnerability.php containing these code


<?php
$vulnerable = $_GET['vulnerable'];
include($vulnerable);
?>

So, $vulnerable = $_GET[‘vulnerable’]; means to put the ‘vulnerable’ GET property in the variable $vulnerable; i.e GET property that is in the URL. An example is http://mysite.com/page.php?vulnerable=yes&howmuch=Very.


By including the value of the variable ($vulnerable), you allowing an attacker to inject code. Someone, for instance, can try this on his browser

http://www.mywebsite.com/fopen.php?vulnerable=../../../index.php

This will enable the attacker to get into subdirectories and start exploring the whole directory. However, if you are running PHP-FPM for a particular instance, only that particular instance is impacted as PHP-FPM allows you to isolate each running instances within the server.

URGENT – STAGEFRIGHT is here – Update your Android now

This is a straight and direct message to everyone on this planet. YOU NEED TO UPDATE YOUR ANDROID MOBILE PHONES, TABLETS etc.. NOW!!



How many amongst you have an Android device? Are you aware that actually, billions of people around the world are impacted by a vulnerability called Stagefright? After the announcement was made on 27 July 2015 by Joshua Drake of Zimperium, I still noticed that there are many people who are not at all aware of this vulnerability and its devastating effect.

URGENT - STAGEFRIGHT is here - Update your Android now 3


What is Stagefright?

“Stagefright has been called the biggest Android security concern ever. It occurs when malicious code is unknowingly triggered by media in multi-media messages (MMS). Stagefright could affect a billion devices, most particularly those running Android Jelly Bean or earlier. This number, if you’ve taken a recent look at the percentages of different Android versions currently in use, is staggering.” – Androidpit.com

You can download the FREE app at the Google Play Store to verify if your mobile phone is vulnerable or not.

The aim of this article is to sensitize everyone to update their Android devices. Please do inform your friends and everyone around you.

Please take note that there are some companies which have not yet released those patch. In that case, I encourage everyone to voice out their opinions with the help of Twitter.

Note: Some Android cannot be patched as the vendor is not sending any updates. In that case, you can disable “MMS on reception”. But that does not keep you 100% safe!



Click here – This may interest Security Experts and Software Engineers.