I’m more in #ShellShock about the speed of the attackers !

If you haven’t caught up with it yet, there is a vulnerability out there which is quite a serious one.

What’s gone wrong now ?

If you have Linux, Unix or Mac OS X then you need to keep your eyes out for updates … and then learn how to test them for vulnerabilities !

 

So this is the issue … Bash. It’s in all the languages above and this is the problem with it :

I’ve given you a couple of links so you can get some breadth on the issue …

  1. Troy Hunt (LINK)
  2. Threatpost (LINK)
  3. CVE-2014-6271 (LINK)
  4. Akamai (LINK)

Well, am I affected ?

So yeah – that’s a biggie hey ?

Plenty of vendors have jumped on the scanner side of things to see if you are vulnerable :

  1. Errata Security (LINK)
  2. WebSecurify (LINK)
  3. Nessus (LINK)

Please note – you should use any tools you find on the internet with caution … only choose those you know or have been recommended by a competent security professional.

 

OK, you’ve probably ran that and found you are vulnerable. Yep, bad times ahead, I’m afraid. For those with multiple systems, it’s going to be a long night in the office.

Woah, so how do I fix it ?

Well it looks as simple as running update manager

  1. Update Manager (LINK)
  2. Ubuntu (LINK)
  3. Command line : apt-get update; apt-get upgrade; (Thanks to Matthew Pettitt for that ! LINK)

But … you said !

Disclaimer – this may fix this bug but could break everything that you were running, there may be a reboot and you never see your system again … backups please ladies and gents …. backups and test restores please.

OK, I’m still alive – now what ?

Test again … yes that’s right, check it’s been applied properly. (see section above !)

Phew, no problems here then !

Well not quite …

There is this bypass to look at :

bypass #shellshock patch: X='() { (a)=>\’ bash -c “echo date” creates ./echo with contents of `date` output

 

Oh and also – keep an eye out for the bots that have been trying to gain access for the last 24 hours !

  • What ?!! there’s already an active bot for this ?!! (LINK)
  • Yeah – there’s also this reverse shell too (LINK)
  • Oh and this daemon that reboots machines (LINK)

And is that it ?

Well essentially yes for now but keep a lookout on Twitter as there is sure going to be some big problems ahead which may be coming as a result of this. If you aren’t sure then go get some help … it’ll be on the news shortly so your boss will be OK by then to talk to you about it and will understand it. If you need a quick analogy … tell him we’re screwed and you’re going to resign. It’s easier than trying to fight the management team to try to get it fixed !!

 

The take away :

As technology becomes more pervasive and integrated into our lives and as some systems come to the fore, so the patching of those technologies has to be thought about. In this situation there are going to be some systems which simply cannot be patched. There will be some embedded systems, legacy Unix boxes etc which simply will not be able to be updated. The criminals were able to create an exploitive bot within hours while we were still warming up the PR departments to draft a catchy logo and first blog. The attackers yet again beat us. Add in to the mix the TVs, routers, medical equipment, SCADA systems and other devices yet to be discovered, we’re in for a bumpy ride – make sure you do your bit to keep the internet safe.

Underground, overground, travelling free !

So the Tube – the London Underground is going NFC for payment transactions then … [LINK] … can you see the weakness here ?

We’ve had Oyster cards for some time now in London as a means to pay at the turnstiles to travel on the London networks – bus, Underground etc. I assume some contractual issues came in to play and the scheme was moved to a new contactless system. I noted that the tech at the turnstiles appeared to not change which indicated that the readers stayed the same but perhaps the software behind the system did change.

 

So we have a NFC reader and a piece of software to read those NFC chips to authenticate that the code being presented indeed is for a valid card.

I also noted a conversation with First Group commercial director in Manchester during 2013 when they were talking about trialling contactless payment systems.

This is definitely pointing to a payment on the device environment coming up for the UK. I kind of support it as it is rare I don’t go out without my device .. but often that I forget to take my travel card !

 

I have a Samsung i9100P specifically for its NFC chip – I see NFC in several devices and with the announcement of the iPhone 6 – I see it also features NFC. The good news is that it can allow micro-payments not only from your bank but also against your phone provider which means you can use a variety of accounts. Massive benefits to the consumer – I can see its adoption.

I also see the criminals rubbing their hands in glee. How many bus drivers will be checking that the app you pay for the journey with is the genuine one ?

 

In the London Underground with good connectivity, they could probably spot the fake NFC payment coming in and block you going through the turnstiles but on a vehicle such as a bus or unmanned station – I can see fake apps springing up to allow you to reset your “payment card” to get free journeys.

I found this link some time ago [LINK] and yes indeed San Francisco has had this problem with a weakness in the NFC cards allowing them to be tinkered with.

 

But this is now 2 years later – with a rooted Android phone I can see NFC becoming an interesting new vector for attack … I wonder if anyone is :

  1. looking at it (vendor, supplier and corporate)
  2. thinking about it at a coding level at the vendor
  3. working out the legals of what is involved – is it illegal ? What are the laws around this ?

 

An interesting subject that I think could grow especially with iPay from Apple also.

 

*UPDATE

And as if by magic comes news that Subway restaurants are going NFC also (LINK). Interestingly here is that iPay won’t be accepted yet … I guess they’re waiting for trusted security to be proven.

 

What do you think ?

 

When a bug goes viral.

It was 3pm GMT when a 19-year-old Austrian nicknamed Firo was sending a tweet. There were millions of us tweeting too and his actions were not unusual. As he typed his tweet, he inserted a heart character and noticed that two appeared. Curiosity got the better of him and he started playing with his tweet. His discovery was that he could insert code into his tweet and yet it was only showing his love heart.

 

The thing about Twitter is that it attracts like-minded individuals together. When Firo’s followers received his tweet in Tweetdeck, they got a pop-up box with some text in it. When they re-tweeted it, so did their followers and so we see an initial growth. Firo knows computing, his friends know computing too and their circles are all in the same areas. After 30 minutes, the UK was receiving these curious messages and word was out…

 

XSS in Tweetdeck

 

When the tinkerers saw what they could do with simple script, they had a field day sending funny messages over Twitter. As the Tweets grew, so did the curiosity, Firo was past playing with the bug and the message was spreading. Within 2 hours, Tweetdeck was almost becoming a ghost town as the message sank in…

 

There is an XSS in Tweetdeck

– this is serious.

 

We shut it down, un-linked our Twitter accounts. Two hours after the initial finding of the bug, the users were savvy enough to understand its severity and was protecting itself.

 

Shortly after this was where we saw the self a propagating tweet. Using the same framework, it gave you the pop-up message but you automatically re-tweeted it. When this variant hit the BBC breaking site, 10.1 million followers received that tweet. Any using Tweetdeck automatically re-tweeted it. This was now a dangerous game and Tweetdeck pulled the plug.

A wise move by all accounts, had it been allowed to proliferate, Twitter could have fast become overrun and more harmful code code have been injected into a Tweet. Fingers were pointed to bad programming, the Twitter takeover and yes, I dare say the Governments probably got a finger pointed or two.

Bugs exist in code because we write code. Humans write code. We are not perfect. Bugs are found every day, some are low impact and some critical. A bug is simple to introduce by accident and can lay in some cases for over a decade (OpenSSL).

 

Firo did no wrong, he is a good definition of a hacker, he got curious and worked out what it could do. The media should not demonify him for his actions, in the same way Codenomicon should not be demonified for finding HeartBleed. Firo is a hacker. The media should learn that this is a good thing. He is not a criminal. Someone who finds bugs and has the intent to cause harm is a criminal. We need to separate these terms and this is a perfect opportunity.

 

Well done to the hacker Firo for finding this bug even if it was by accident (as most great discoveries are!).

We must also applaud Tweetdeck for such a fantastic and speedy resolution to the bug fix. I have no idea how many thousand lines of code they had to go through, but they did and they fix it.

I wonder what the next bug will be that is found today ?

I wonder if it will be in an 90s game that if you press IDDQD, IDKFA, IDCLIP ……..

 

Associated articles :
Original article identifying Firo
Doom

XSS and Tweetdeck and the person behind the discovery

So XSS appears to be back in Tweetdeck.

 

I was first alerted when I got this pop-up :

Capture22

My initial reaction was to ask out on Twitter – then I noticed it … every time there was a love heart in someone’s tweet I got a pop-up telling me there was an XSS in Tweetdeck.

 

I did a quick search to try and find the first reference of XSS and Tweetdeck and found https://twitter.com/pixeldesu/status/476744509783822337

After a quick dialogue and a few names .. there it was :

Capture 33

I had a brief chat with @firoxl and it appears that the bug was discovered by accident.

It actually was some sort of accident. ^^

https://twitter.com/firoxl/status/476738843841159168

Capture 44

I was using TweetDeck, suddenly there were 2 hearts.

I made some experiments and discovered that TweetDeck doesn’t escape HTML-chars if there is that Heart in the tweet.

As with all great discoveries – they were done by accident.

At the time of writing, Tweetdeck has now fixed the issue :

https://twitter.com/TweetDeck/status/476763638695743489

Capture55

Where could it have gone to ?

Well – Firo speculates “someone could load some external js-code and build a computer-worm which takes over the accounts of many people… there are many ways this issue can be used to harm someone…”

And there you have it 3:52pm to 5:31pm – bug identified, replicated, proven, fixed and rolled out – not a bad issue fix in the grand scheme of things !

 

Many thanks to everyone who was involved in the making of this blog – especially Firo XI, kudos for helping out.

 

 The FIX :

Log out of Tweetdeck – log back in again !

 

 

 

Security Mantras

I have to explain security concepts quite a bit in my job and so I thought I’d share my thoughts with you all for some discussion.

 

I’m going to keep it brief and then update this blog with the feedback and comments shortly.

 

Mantra 1

There are two kinds of people – those who have been hacked and those that don’t know it yet.

I’m all for a bit of FUD, Fear, Uncertainty and Doubt. It is a good sales technique to be fair – but please, if you are going to use FUD, be accurate. The infosec is getting a bad rap for wild accusations so let’s keep it real. If you feel the need to use a FUD mantra – how about:

Do you want to be one of those companies that you get to read about who didn’t do anything and then got hacked.

 

Mantra 2

Monitor, Manage and Maintain

Bit of a personal favourite of mine – so for transparency reasons … yes, I am biased!

  • Monitor – you have to be looking out to see what is coming your way. Ensure you have adequate monitoring that is telling you of an impending attack. Of course the critical part of all this is to know your base line – what is normal ? Once you know this, then you can work out what could be going wrong.
  • Manage – if you don’t have someone looking after these things, it goes the way of the paperless office … it was a good idea once. There should be a sponsor … a person at the top of the tree who ensures that the top line buys in, then there should be a busy bee worker who is making sure ‘stuff’ happens.
  • Maintain – patch, upgrade – do what you need to to ensure you are always at the edge and not falling in to the hands of criminals who love to capitalise on out of date systems

 

Mantra 3

We have [VENDOR PRODUCT] so we’ll be OK

or

Buy our [VENDOR PRODUCT] and you will be secure

No, no, no, no. No piece of tin will keep you safe. I love this quote which explains this perfectly “It doesn’t matter how thick your suit of armour is, you can still get flu.” With humans, there is always a will and a way !

 

 

So there you go …. my starter for 10 …. what security mantras do you use to protect yourself or what mantras do you train others in ?

 

 

Top Insecurity Tips

This is meant to be humorous blog about internet tips and why some advice is just bad. Just a bit of fun for April’s Fool.

 

1) Go to a public internet access point to surf the internet for a long time. Free wi-fi !

Bad idea – Public internet cafes are common places for various types of theft.

  • Physical theft of devices
  • Spoofing the access point to listen in on your traffic
  • Malicious payloads can be added via sponsored adverts
  • Shoulder surfing risk is greater

2) Do not put a password on your home wi-fi so that your friends can connect to the internet easily

Bad idea – so can your neighbours and malicious people. They can use your access point to surf nefarious websites and hammer it for downloads which all affect your speed and bandwidth limits.

3) One password to remember – use something easy like your name

Bad idea – Too easy to guess. and generally very easy to break as well because all words from the dictionary are already cracked. using the same password everywhere means that should you have a leak of your details, a criminal can gain access to everything you have ever logged in to.

4) Store your passwords in a notebook called passwords so you never forget another login

Bad idea – If someone opens your notebook , they can then log in on your computer with your credentials.

5) Antivirus, anti-malware tools and firewalls all slow down your computer, besides, you’ve never had a problem

Bad idea – all because you think you’ve never had a problem, does not mean that you have never been hit

6) Patching computers and installing updates gets in the way, takes too long and fills up your computer. Your computer works fine without them.

Bad idea – the hackers and malware writers can easily gain access to older versions of home systems, they have specific tools written to exploit these older out of date systems.

7) Leave your home computer on at home connected to the internet, that way you can just turn on the screen and have immediate access to the internet

Bad idea – if you are hacked, you won’t know about it till you get home and by then someone could have taken everything!

8) Downloading illegal content is fine, who cares about little old me !

Bad idea – it’s illegal.

9) Never clear your history – that way you can always find your old websites you have browsed

Bad idea – using tools a criminal can see everything you have done on your computer.

10) Auto-save passwords – that way your computer can auto-log in to all websites. How convenient is that, no more remembering passwords

Bad idea – anyone using your computer will also auto-login to sites with your details also, a criminal who may have been able to obtain remote access to your computer will also have all your passwords.

11) If they want to send you £20million from a relative you didn’t know from a foreign country you’ve never been to, what is £3000 in the grand scheme of things compared!!

Bad Idea – it’s a scam, congratulations, you’ve just lost £3000

Have some fun people and feel free to contact me on Twitter at @SPCoulson to add your own !

Security Valentines

So for Valentines, I decided to create a Hashtag #SecurityValentine partly for some fun but also to get some ideas together for simple security messages.

Roses are red,
Violets are blue,
I’m sat here,
Waiting to help you.

Roses are red
Violets are blue
All my base
Are belong to you

Snort is good
Kali is better
Get that signature
On the authorising letter

I hacked in
Found the data
I’m zipping it up
To exfiltrate later

Talk to me

I’m a Social Engineer
I won’t use your password
There’s nothing to fear (honest!)

I really regret
The hacker I dated
Get me a WAF
I’ve been penetrated. (Source David Powell)

I’m a virus
I’m here to destroy
There’s also a backdoor
That was my ploy

Give me your money
Ransomware is here
I’ll give you your data
After I’ve had this beer

Roses are red
Your password was weak
You’re now in a Pastebin
For hackers to seek. (Source @DeathsPirate)

Some malware is bad
But Cryptolocker is clever
I know your tactics
Click that Link – NEVER !

Roses are #C91D1D
Violets are #6411D5
…or would you prefer those in RGB?

Security gets me down
My Password is my DoB
What do you mean I’ve been hacked
Thought my AV was there to protect me

Valentines Day
Girls love me
I clicked this girls profile
Worst infection I coulda got me !

The roses have wilted
The violets have died
I didn’t do patch management
I’ve just been fired.

Website is down
Log files are blank
Fixing this stuff
Is not going to be fun at all is it ?

Compliance is dull
And sometime is effective
Its trying to implement it
To the great collective

Scada attack
Wow that sounds quite a fright
I’ll be OK
Hey, who turned out the light ?

Burp is the best,
Zap is nice too,
But stay inside scope,
Or you’ll end up in poo. (Source @PMason00)

I’m a script kiddie
I’m a DDoS king
Does that make me a Leet Hacker?
Or an annoying little thing ?

Roses are red
Pineapple’s yellow
Auto connecting …
Beware of the peril!(Source @DeathsPirate)

“I know who is
Who’s behind the @th3j35ter ”
Yet another troll out there
Reputation to be messed up !

Roses are red
This hat is white
Network Security’s
an ongoing fight!(Source @DeathsPirate)

Lock picking is fun
Use an electric gun
But using a bump kep
Is just as fun

Roses are red
Defcon badges are blue
Who’ll pay for a ticket
For Defcon #22 ?

I have a risk register
It did us some harm
I’ve never updated it
No need for alarm!
(is there?)

Log files are read
Language is blue
Firewalls opened up
Who was it .. was it you ?

Buried in the basement
Where no-one can see
Sysadmins everywhere
Are protecting you and me

Ethical hacking
Pen Testing too
Whatever you call it
Finding holes for you

Love em or hate em
Whistleblowers are here
It’s the data the still have
The govts/companies fear

Roses are red
Violets are blue
My security is weak
The hackers for through !