Guide | azeemnow

2018

Meltdown and Spectre

I am sure by now you have heard/read/watched about these two security vulnerabilities: Meltdown and Spectre. However, if you have not, here is a good place to start: A Simple Explanation of the Differences Between Meltdown and Spectre

In a nutshell, almost all of the major technologies are affected: Apple, Microsoft, Intel, Amazon, ARM, Google, RedHat, VMware, SUSE and more.

What you need to do:

Identify the affected technologies in your environment and if you have not already received advisories from those vendors, contact them for updates and guidance.
- Start with the anti-virus (AV) vendor. The reason you need to start with them is that due to the special nature of these vulnerabilities, your anti-virus (AV) technology needs to be updated before Microsoft patches can be applied. Microsoft is pushing updates to only those systems that are running a compatible version of anti-virus.
- You can check the status of your AV using this Google Doc thanks to @GossiTheDog https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true
Applying these patches will impact the performance of the CPU. The level of impact varies based on your system configuration and capacity, however, there have been reports of 15-30% performance impact. For this reason, it is important that you accommodate for the performance hit before pushing updates.
- To limit the performance impact of unplanned patching, Microsoft has added a manual step. After the patch is installed, you need to manually enable a registry key. Without updating the registry key the system remains vulnerable; Reference.
Microsoft has released KB4056892 patch for Windows 10. Patches for Windows 7 and 10 are expected to be released on January 9th.
All of the commonly used browsers are also affected. However, patches for some of these are already available and are expected to be released for others soon: Firefox, Safari, Chrome.
- In case of Chrome version 63 (released in Decmber 2017), there is the option to enable Site Isolation feature. This feature can be enabled by entering the following in Chrome: chrome://flags/#enable-site-per-process; Reference.

In summary, here are the steps:

Contact technology vendors and review their advisories
Plan in advance for any performance impact
Apply patches in the development environment first and test!
- it is important to deploy patches in accordance with your AV’s recommendation. There are public reports of the system crash (BSOD) due to incompatible AV.

As of this writing, following CVE identifications have been assigned: CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754. These can be used to track remediation efforts.

This is a developing story and it is advised that you closely monitor communications from your technology vendors.

Additional references:

Tagged Cyber Security, meltdown, spectre

2016

Guide, Info Security, Original, Security Blogs, Technology

Burp Suite installation and features

The other day I came across a social media post that was about utilizing Burp Suite to identify vulnerabilities in web applications. I had heard of Burp before but never really had the chance to play around with it – until now.

Just like a lot of other security tools, Burp has a community version along with its commercial product. I decided to download the free edition from here in my home lab. The installation process is straightforward and in no time you have Burp up and running. Here is how the initial interface looks like:

Right when I finished my installation of Burp, I realized that I did not have a web application running in my lab that I could use to test Burp against. Bummer! Now I had to decide between setting up a web server myself or finding a commercial distribution that came pre-built with one. This was a no-brainer – and within minutes I found a few distributions that were designed for testing and learning web application security; such as SamuraiWTF, WebGoat and Kali Web Application Metapackages. I decided to go with SamuraiWTF.

SamuraiWTF gives you the option to run from a live disk or install it in a VM. I decided to install the VM. Here is a good guide to the installation process. I give my VM instance 4GB RAM and 3 cores; more than enough horsepower.

This distribution comes pre-installed with Mutillidae, which is a “free, open source, deliberately vulnerable web-application providing a target for web-security enthusiasts”. This was perfect for what I was looking for. Setting up the Mutillidae in pretty simple – all I had to do was change my network configurations to NAT and that was it. However, if you need more information on configuration here are some great video guides on Mutillidae; in fact, I used some of these myself while configuring Burp to work with Mutilliade.

After finishing all of the above prep work, I was ready to run Burp!

For those who are not familiar with Burp, it’s an interception proxy which sits between your browser and the web server and by doing so it is able to intercept requests/responses and provides you the ability to manipulate the content. To do so you have to configure Burp as your proxy. On your VM, this would be your localhost (Proxy Tab > Options):

Likewise, you would have to configure your browser to that same proxy. Here is my proxy configuration on Firefox:

Now as you navigate through your Mutilliadae webpage, all your requests should go through Burp. One thing you have to do is turn on the Intercept option in Burp. It’s under Proxy > Intercept.

What this allows you to do is see the request as its made but gives you the control to either forward it to the web server or simply drop the request (like a typical MiTM). For example, on the login page of Mutilliade i used admin name and admin123 password. And as soon as I hit “Login” I saw the request being made from my browser to the web server in Burp:

In the screenshot above, you can see the two options: Forward and Drop. If you hit forward, the web server will receive this request from your browser and will respond as it would normally. In this case, the account I used to log in did not exist:

Burp has the capability to also capture the responses. It is an option that you can turn on by going to Proxy > Options and towards the middle of the page you will see “Intercept Server Responses”. By turning this on you will be able to see and control both sides of the requests:

If you look at Target > Site Map; on the left pane you will see a list of all the sites that you have visited with the Burp proxy on:

One advantage of the above feature is that it allows you to go back and revisit requests and responses. The sites that are in grey color are those that are available on the target web page but you have not visited them.

Another neat feature is that if you do not want to visit each page individually you can run the “Spider” feature which will map the whole target page for you.

If you go under Spider > Control you are able to see the status of the Spider as it runs:

When you intercept request or response, you have the ability to send that to other features of Burp. You are able to view these additional options by right-clicking on the intercept:

Towards the bottom of the official Burp Suite guide page here you can see a brief description of most of the options shown in the screenshot above. The one I found really neat is the “Repeater” option which allows you to modify and re-transmit requests repeatedly without having the need to perform new intercepts each time.

This concludes my brief journey of getting started with Burp using SamuraiWTF. There is a whole lot more than I had the chance to explore but here is a great reference for advanced topics.

Below is a quick blurb on some of Burps features:

Spider: crawls the target and saves the numerous web pages that are on the target.

Intruder: automated attack feature which tries to automagically determine which parameters can be targeted i.e. fuzzing.

Fuzzing options: Sniper (fuzz each position one-by-one), Battering Ram (all positions on the target receive one payload), Pitchfork (each target position is fuzzed in parallel) Cluster Bomb (repeats through payloads for multiple positions at once).

Proxy: used to capture requests & responses to either just monitor or manipulate and replay.

Scope: controls what (pages, sites) is in/out of the test “scope”.

Repeater: manually resubmit requests/responses; allows modification.

Sequencer: used to detect predictability of session tokens using various built-in tests i.e. FIPS 140-2.

Decoder: allows encoding/decoding of the target data i.e. BASE64, Hex, Gzip, ASCII, etc.

Comparer: allows side-by-side analysis between two requests/responses.

Cheers!

Tagged burp suite, Penetration Testing, SamuraiWTF, web application security

2015

Digital Forensics, Guide, Info Security, Security Blogs

How do botnets work?

How does it feel to know that your personal computer can be remotely controlled by someone without your knowledge for ill purposes? Or worse, instead of a single individual having this unauthorized access to your system it can be a group of people over the internet that controls what your computer does and how it does it. In the field of Information Security, if your system is involved in such control it is considered a bot: a computer system being controlled by an automated malicious program. In addition, your computer system can be part of a larger group of infected computer systems and these collections of infected computers create botnets. Casually, these bots are also referred to as zombies and the remote controller is called the botmaster. So how are these bots born and grow into botnets?

According to Damballa, an independent security firm’s annual threat report, “at its peak in 2010, the total number of unique botnet victims grew by 654 percent, with an average incremental growth of 8 percent per week ”. Originally, these bots are developed by tech-savvy criminals who develop the malicious bot code and then usually release on the open internet. While on the internet, the bot can perform numerous malicious functions based on its code design but it most cases it spreads itself across the internet by searching for vulnerable, unprotected computers to infect. After compromising victims’ computers, these bots quickly hide their presence in difficult to find locations, such as computer operating system files. The botmaster’s goal here is to maintain the compromised system behavior as normal as possible so the victim does not become suspicious. Common activities that bots perform at this stage involve registering themselves as the trusted program in any anti-virus program that might be on the victim’s computer. Moreover, to maintain persistence, bots add their operations in systems startup functions which results in bots automatically reactivating even after shutdown/restart. Throughout this process, bots continue to report back to the botmaster and wait for further instructions.

Below lists some of the common operations that bots can perform on behalf of its botmaster:

Sending

Stealing

DoS (Denial of Service)

Clickfraud

They send
– spam
– viruses
– spyware

They steal personal and private information and communicate it back to the malicious user:
– credit card numbers
– bank credentials
– other sensitive personal information

Launching denial of service (DoS) attacks against a specified target. Cybercriminals extort money from Web site owners, in exchange for regaining control of the compromised sites.

Fraudsters use bots to boost Web advertising billings by automatically clicking on Internet ad

As the chart above states, there are numerous functions that bots can perform. However, recently bots have mainly been used to conduct Distributed Denial of Service (DDoS) attacks: utilizing hundreds or thousands of bots from around the whole world against a single target. Botmaster’s goal with DDoS is to use thousands of bots with numerous botnets to attempt to access the same resource simultaneously. This overwhelms the resource with thousands of requests per second thus making the resource unreachable. This inaccessibility of the resource has severe effects on legitimate users and requests. According to FBI, “botnet attacks have resulted in the overall loss of millions of dollars from financial institutions and other major U.S. businesses. They’ve also affected universities, hospitals, defense contractors, law enforcement, and all levels of government”.

A misconception exists that if your system does not hold any valuable information or if you do not use your system to conduct online financial transactions than an adversary is less likely to target your system. Unfortunately, as much as we would like this to be true, it is not the case. For botnets, the most valuable element is your system’s storage and your internet speed. Our personal computers are now capable of storing and processing terabytes of information seamlessly and are able to use our high-speed internet to transfer this information. As stated by a malware researcher team from Dell SecureWorks, botnets “allows a single person or a group to leverage the power of lots of computers and lots of bandwidth that they wouldn’t be able to afford on their own”.

——————————————————————-

http://www.fbi.gov/news/news_blog/botnets-101

https://www.damballa.com/press/2011_02_15PR.php

http://news.discovery.com/tech/what-are-botnets-110304.htm

http://us.norton.com/botnet/

Tagged botnet, clickfraud, ddos, infostealer, malnet, Malware, spyware

2014

Zotero Review

Browser extension: Zotero

The most difficult part of the research process is keeping track of all of your sources. The traditional methods have been that you print all the pages that you visit, or copy and paste the text from the web sources into a Word document. However, the problem with those methods is not only are they troublesome but also the chance of misplacing them is greater. Moreover, when you are done with your paper and you have to create a citation for each of your sources one-by-one is not only time consuming but also increases factor of human error.

Zotero is a free Mozilla Firefox add-on which makes it easy to organize your sources and searches. It does that by saving the snapshot of the pages and saving the links. The best feature of the add-on is that it automatically creates the citation for your saved sources in both APA and MLA format. In addition, since it is fully compatible with both Microsoft Office and Open Office; you can directory copy your citation into that software.

Another great feature that I like is that you are able to sync your files with Zotero’s online server. This provides not only sense of security that your files are backed up, but also if you log-in from an alternative computer you can still view all your saved sources. In addition, Zotero allows you to share your source with other people. For that, all you have to do is create a new group, place the files that you want to share and sync. You can send an invitation to your group to as many people as you want and they can all view and make changes to your document. This makes group collaboration much easier.

Personally, I’ve been just introduced to Zotero and I love all the user-friendly features that it has to offer. Whenever I am surfing the internet and I come across an article of news that I could use later I simply open Zotero add-on and save a snapshot. In addition, Zotero’s highlight feature comes very convenient t as well. It allows me to highlight text right from the snapshot so that when I come back to that article I know exactly why I saved it in the original place.

Zotero is still an underdevelopment project. It has a dedicated link on its homepage which allows enthusiastic individuals to contribute their new ideas or making improvements. For a new user, they have great support page which comprehensively explains all the great features of Zotero.

The only thing that I am on the lookout for is Zotero coming onto different browser platforms. Currently, it is only supported by Mozilla Firefox but that holds a certain disadvantage against it. In addition, I have noticed in occasional events that the sync features take longer than usual. This could be due to their storage or the format that they are using.

Overall, I think Zotero is a great free tool for everyone who wants to efficiently save time and sources. I most favorite feature of Zotero is highlight and share. I am sure that the few glitches that Zotero currently has will soon disappear.

Tagged Review