Category Archives: Technology

HTTP Strict Transport Security

Posted on August 27, 2010 by ChrisJohnRiley| Leave a comment

If you’re a sad geek like me you’ve probably already heard of HSTS (HTTP Strict Transport Security). HSTS is designed to solve an issue where you access a web server using HTTP and are automatically redirected to the HTTPS equivalent (usually through a 301 or 302 response and a new location header).

To most this seems like a perfectly acceptable solution, until you start thinking about the Man in the Middle issues of this kind of redirection. Most users don’t type https://mybank.com after all. They just type mybank.com and expect the browser and server to sort it out themselves…. and to be honest, they should. Users shouldn’t need to understand security to BE secure. It’s something that the server architects, web designers, and programmers of the world need to get together to solve.

So, the first step in securing this hole is finally beginning to be implemented. HSTS is still a way off yet (it’s just been implemented into the Firefox 4 nightly builds, and appears to be supported in Chromium), but it’s already looking promising.

HTTP Strict Transport Security works by allowing servers to return an additional header along with their 301 or 302 redirection. This Strict-Transport-Security: header allows the server to set a max-age (and optionally an includeSubDomains parameter) which is read by a compatible browser (currently limited).

Strict-Transport-Security Header

The browser will then remember the setting and next time it’s asked to connect to the server (even if it’s entered as an http:// address) the browser will request the https:// version.

Type http:// get https://

A couple of issues:

  • An initial HTTP request still needs to be made (opening for MitM)
  • Sub-domains need to be included to ensure everything is secured (addition of the includeSubDomains parameter)
  • How is Private browsing (i.e porn mode) handled? I see 2 possibilities here:
    • HSTS info is deleted along with everything else (reduced security)
    • HSTS info is retained (secure, but breaks privacy)

I’m looking forward to HSTS being implemented across a broader range of browsers, although this is going to take a long time (IE6 has only just started to die after all). Still, anything we can do to solve part of the problem is worthwhile doing.

UPDATE: I looked briefly into the private browsing situation (at least with Firefox 4 nightly) and as I thought, it forgets the HSTS settings. Preferring privacy and protection of your visited sites over the security offered by HSTS. I guess this makes sense… Still, it renders HSTS mute for many of us who run in private browsing mode all the time (for privacy reasons!). I’d like to see an option to retain these. Maybe in the next nightly?

Links:

  • Firefox 4: HTTP Strict Transport Security (force HTTPS) –> LINK
  • Firefox nightly builds (with HSTS support) –> LINK
  • HSTS Draft –> LINK
  • Chromium Strict Transport Security –> LINK

Test Sites (sites supporting HSTS):

  • www.paypal.com
  • www.ssllabs.com
  • www.defcon.org
  • www.elanex.biz
  • jottit.com
  • sunshinepress.org
  • www.noisebridge.net

→ Leave a comment

Posted in Security, Technology

Tagged , , , ,

Draft IETF – HTTPState (Cookies)

Posted on June 9, 2010 by ChrisJohnRiley| Leave a comment

A friend of mine (thanks Ben) pointed me at the latest draft IETF covering HTTPState (i.e. Cookies). I’m sure there are lots of you who love reading RFCs in your spare time…. after all, we all suffer from insomnia at one point or another ;)

Regardless, I found it interesting that the HTTPState Working Group are finally working to integrate the HTTPOnly flag into the RFC. The HTTPOnly flag was originally sugegsted in 2002 by Microsoft as a way to prevent what they saw as a common attack vector (i.e. Cross-Site Scripting being used to steal Session Cookies). Microsoft built support for the HTTPOnly flag into Internet Explorer 6 (sp1) and it was adopted by other major browsers and programming languages.

The new working group are looking to replace the aging RFC2109 and the (supposed replacement) RFC2965 with a new standard based on the previous standards. Alone this wouldn’t be news, but alongside the update comes the integration of the HTTPOnly flag which, despite being widely used and supported for years, has never featured in the RFCs previously.

The roadmap shows the working group aiming for March 2011 for a final release.

Information from the “HTTP State Management Mechanism” Working Group

Description of Working Group:

  The HTTP State Management Mechanism (aka Cookies) was originally
  created by Netscape Communications in their informal Netscape cookie
  specification (“cookie_spec.html”), from which formal specifications
  RFC 2109 and RFC 2965 evolved. The formal specifications, however,
  were never fully implemented in practice; RFC 2109, in addition to
  cookie_spec.html, more closely resemble real-world implementations
  than RFC 2965, even though RFC 2965 officially obsoletes the former.
  Compounding the problem are undocumented features (such as HTTPOnly),
  and varying behaviors among real-world implementations.

  The working group will create a new RFC that:
   * obsoletes RFC 2109,
   * updates RFC 2965 to the extent it overlaps or voids RFC 2109, and
   * specifies Cookies as they are actually used in existing
     implementations and deployments.

  Where commonalities exist in the most widely used implementations, the
  working group will specify the common behavior. Where differences exist
  among the most widely used implementations, the working group will
  document the variations and seek consensus to reduce variation by
  selecting among the most widely used variations.

  The working group must not introduce any new syntax or new semantics
  not already in common use.

  The working group’s specific deliverables are:
  * A standards-track document that is suitable to supersede RFC 2109
    (likely based on draft-abarth-cookie)
  * An informational document cataloguing the differences between major
    implementations

  In doing so, the working group should consider:

  * cookie_spec.html – Netscape Cookie Specification

http://web.archive.org/web/20070805052634/

http://wp.netscape.com/newsref/std/cookie_spec.html

  * RFC 2109 – HTTP State Management Mechanism (Obsoleted by RFC 2965)
     http://tools.ietf.org/html/rfc2109
  * RFC 2964 – Use of HTTP State Management
     http://tools.ietf.org/html/rfc2964
  * RFC 2965 - HTTP State Management Mechanism (Obsoletes RFC 2109)
     http://tools.ietf.org/html/rfc2965
  * I-D – HTTP State Management Mechanism v2
     http://tools.ietf.org/html/draft-pettersen-cookie-v2
  * I-D – Cookie-based HTTP Authentication
     http://tools.ietf.org/html/draft-broyer-http-cookie-auth
  * Widely Implemented – HTTPOnly
     http://www.owasp.org/index.php/HTTPOnly
  * Browser Security Handbook – Cookies

  http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies
  * HTTP Cookies: Standards, Privacy, and Politics by David M. Kristol
     http://arxiv.org/PS_cache/cs/pdf/0105/0105018v1.pdf

Links:

→ Leave a comment

Posted in Security, Technology

Tagged , , , ,

Shockingly insecure

Posted on May 12, 2010 by ChrisJohnRiley| Leave a comment

Yes I know, it’s a sensationalist headline, but you have to agree, any software component that comes out with 18 CVE numbers at once, is anything but secure.

Adobe have had a bad record when it comes to providing secure software and add-ons. The almost weekly Adobe 0-day exploits in Acrobat (reader) and Flash have now been joined by a list of critical vulnerabilities in Adobe’s Shockwave Player (11.5.6.606 and older). I’ve given a full list of the CVEs patched at the end of this post (see links). Currently these CVEs are reserved and don’t provide a great deal of information. However the Adobe advisory gives some interesting information about the flaws.

  • This update resolves a boundary error vulnerability that if exploited, could lead to memory corruption and possible code execution (CVE-2010-0127)
  • This update resolves a signedness error vulnerability that could lead to code execution (CVE-2010-0128)
  • This update resolves multiple memory corruption vulnerabilities due to integer overflow that could lead to code execution (CVE-2010-0129)
  • This update resolves an integer overflow vulnerability that could lead to code execution (CVE-2010-0130)
  • This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-0986)
  • This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2010-0987)
  • This update resolves multiple memory corruption vulnerabilities that could lead to code execution (CVE-2010-1280)
  • This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1281)
  • This update resolves an infinite loop vulnerability that could lead to a denial of service (CVE-2010-1282)
  • This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1283)
  • This update resolves multiple memory corruption vulnerabilities that could lead to code execution (CVE-2010-1284)
  • This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1286)
  • This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1287)
  • This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2010-1288)
  • This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1289)
  • This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1290)
  • This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1291)
  • This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1292)

As you can see there’s a whole lot of “code execution” in this advisory. Adobe have, obviously, suggested an upgrade to the latest version (11.5.7.609) which deals with these issues. That’s one option obviously, the other, is to remove/disable  Shockwave Player. If you’re a home user, this is simple to achieve. Simple uninstall the software. However for enterprise users it’s a little harder to achieve. Below is one method to disable the Shockwave Player within Internet Explorer, and reduce the overall attack surface.

* Disclaimer * Please backup your configuration before performing any registry changes, and test this solution within your environment before using it.

Workaround:

To disable the Shockwave Player within Internet Explorer, you will need to edit the registry to add/alter a key within the “ActiveX Compatibility” subkey.

The exact location is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility

From here check to see if a Class identifier (CLSID) of {166B1BCA-3F9C-11CF-8075-444553540000} is already present. If not, create it and New DWORD called Compatibility Flags. Double click this DWORD and set th value of 0×400 (hex). That’s it, simply restart Internet Explorer and goto http://www.adobe.com/shockwave/welcome/to test.

Shockwave Player - Enabled

Shockwave Player - Disabled

 To make it a little easier, here’s the exported registry (.reg) file that you can directly import into your registry (please backup/test before rolling out).

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{166B1BCA-3F9C-11CF-8075-444553540000}]
"Compatibility Flags"=dword:00000400

You can also download a copy of the .reg file from here.

Links:

→ Leave a comment

Posted in Security, Technology

Tagged , , , ,

Linuxwochen Vienna 2010

Posted on May 6, 2010 by ChrisJohnRiley| 1 Comment

What else does a geek do when he’s got the day off work…. yes, that’s right, he goes to a Linux conference of course. I found out about the Linuxwochen event in Vienna a little late (about a day before the event), but as I’d already booked the day off (I hate working on my birthday) I decided to pop down to Vienna and take a look.

Although most of the talks weren’t security related, there were a few interesting topics discussed. The opening talk on the upcoming release of PostgresSQL 9.0 (was a good overview of the new functionality being implemented. It’s easy to forget as security professionals, that we need to keep up with “normal” technology as well, so this served as a good update, and provided some good information for the next time I come across a PostgresSQL database when testing.

The first “real” security talk was presented by Sebastian Graf (@naxxatoe) talking about “Security vs Usability”. Sebastian left us with some interesting things to think about when it comes to usability effecting security of sites… as well as some interesting screenshots of websites that really shouldn’t be vulnerable to SQL Injection, but are. You can’t fill out a web form nowadays without stumbling over a SQLi it seems. Sebastian also discussed briefly the Apache compromise and the fact that attacks against the infrastructure are using flaws in the web application to gain access.

——————————————

Following that, Florian Eichelberger (@Florensik) talked about the new honeypot project, Community Sense Net (CSN.OR.AT). The project was originally sponsored by ISPA in 2008, and is designed to deal with the issues of attack coverage and visual representation that other honeypot systems suffer from. CSN is based on Debian, and programmed in Python. It also integrated SNORT as it’s signature base. It also offers an SMTP based sensor that scans incoming emails for attachments or links to content/malicious code hosted on the web. In testing, there have been between 600-900 attacks per day, with a large number of these (~400) being repeats of the same attack. Of those that are “new”, a number are still detected using generic AV signatures due to commonalities with previous versions/revisions of the Virus/Bot. Since 2008, more than 100,000 individual Virus/Bots/Attacks have been registered. The majority of attacks focus on DCOM/LSASS/ASN.1 exploits, with Microsoft being the number 1 target (with Linux as the second most popular target). More statistics are present on the website. A new service being opened up to the public now is the IP/MD5 search feature, which allows you to search on IP or MD5 values to see if they are known to the honeypot. The project is currently looking for additional sensors if people are interested in assisting with the project.

——————————————

Finishing up the security theme, Christian Amsüss talked about “Reverse Engineering von Smartcards am Beispeil von Bankomatkarten“. More information and applications can be found on Christian’s homepage. Nice overview of the communication channels used by the Quick e-purse system (Austrian System), as well as an overview of the project and software developed by Christian to interact with the smartcards. Using Linux it’s possible to sniff the USB communications when using a USB card reader. By simply catting the data from /dev/usbmon0, it’s possible to capture and decode the communication. The data on the card is encoded using Big Endian (e.g 02 00 = 512), other information is stored in simple binary coded decimal (e.g. the Bank code, BLZ). There are also a range of other encodings in use for dates, including the use of a “days since the start of the year” counter alongside the 2-digit year. Alongside sniffing, it is also possible to send some commands to the card to read specific data from the card.

The carddecoders tools offer a decoder for the card communication to provide a more readable output from the device. The tool also offers the ability to search for common numbers using various encoding types.

More information on Sniffing the smartcard protocol can be found here.

——————————————

Overall I really enjoyed my day in Vienna. The whole event runs for 3 days, but I was only able to attend today. If you’re around in Vienna in the next few days, go and check it out, it’s free and that’s the best price there is ;)

Links:

  • Linuxwochen –> http://linuxwochen.at
  • Community Sense Net –> http://csn.or.at
  • Reverse Engineering from the Austrian Quick e-purse –> http://christian.amsuess.com/tools/carddecoders/
  • 24C3 – Smartcard Sniffing –> http://events.ccc.de/congress/2007/Fahrplan/events/2364.en.html

→ 1 Comment

Posted in Conference, Security, Technology

Tagged , , , , , ,

How far we’ve come….

Posted on March 31, 2010 by ChrisJohnRiley| Leave a comment

In one of those rare moments, I was presented with the chance to read through an old copy of LIFE International magazine from 1954. Amongst all the first time pictures of wildlife and amazing sights from around the world, I came across this advert. It goes to show you how far we’ve really come in the last 50+ years. 

What I love about this advert is the tag line… “The Thinking Machine of th Business World“. If only they knew how far those “Thinking Machines” would really go! 

LIFE International (1954)

LIFE International (1954)

 

 We can only wonder where we’ll be in 2054 ? 

→ Leave a comment

Posted in General Life, Technology

Tagged , , ,

Playing with iPhone profiles

Posted on December 4, 2009 by ChrisJohnRiley| 5 Comments

It’s not often that I talk about a GOOD feature of the iPhone. Don’t get me wrong, I love my iPhone and it’s really changed the way I work and communicate, however Apple really only want you to use the device they want, not how you want. Still, I’ve recently been fighting with a few issues while traveling. The largest of these is the need to constantly change my APN settings whenever I fly somewhere. I usually travel with a small collection of pay as you go sim cards so that I can just touchdown, plug in the sim and charge enough credit to cover a few days, weeks of data transfer. You’d be surprised at the prices you can find even on pay as you go nowadays. Anyway, this is all well and good, but wouldn’t it be nice if the APN settings (APN name, username and password) was automatically detected. Some sim cards do this, however most don’t (my O² sim card even fills it in with incorrect info). Today I finally had a chance to look at the iPhone configuration tool offered by Apple.

The iPhone configuration tool gives you a range of options to configure a single or multiple iPhones. It also offers the chance to do some security related configurations that you can’t achieve directly on the iPhone itself. The 2 things I was particularly  interested in where the Passcode and APN (advanced) settings.

Wether you’re using this in a corporate of home environment, the configuration tool can help improve the security of your iPhone, as well as making it easier to turn settings on/of as required.

Passcode

By default the iPhone allows for a 4 character passcode to lock down your phone. This is great, but I’ve lost count the amount of times I’ve seen people type in their passwords. It’s not hard to remember a 4 digit passcode, and as iPhone doesn’t randomize the layout of the numbers on the screen, it’s easy enough to figure out the password even without seeing which numbers are selected. Luckily the iPhone configuration tool gives you the chance to correct this.

Through the configuration tool you can set the advanced settings not possible to do directly on the iPhone itself. These settings include the complexity (including the number of non-alphanumeric characters required), minimum length, maximum password age, password history and failed attempts.

Alongside these typical settings you can also set the auto-lock and grace period times. Most importantly, from my perspective, you can enable the device erase function (this can also be enabled on the device directly).

When it comes to mobile devices, password enforcement is becoming more and more important. With the limited keyboard functionality and repetition of password entry (how many times a day do you type in your iPhone passcode ?) it’s important to make sure users (whether enterprise or home) don’t simplify the passcode too much. It’s very convenient to use 9999 as your passcode, but it’s not hard to shoulder-surf.

The above images show the default 4 character PIN style password, and the more extensive passcode options you can enable through iPhone configuration tool. The more security conscious may have noticed there are 3 images and not just 2. If you allow users to set digit only passcodes (i.e. an 8 character passcode like 12345678) then your users will be prompted ONLY to enter numeric values. If the user sets a more complex alphanumeric password, then they will be given a full keyboard for entry. This isn’t a BIG security issue, but it does tell you what kind of passcode they’ve selected without you needing to know the passcode itself. Still, it’s better than a 4 digit passcode ;)

APN (advanced)

The second feature that interest me is the advanced page, which allows you to set the APN and Proxy information. For me this is really handy. I can go into the configuration tool and create a profile for each APN setting combination that I need. When going between countries I can simply pull up the .mobileconfig file from my email (make sure you’ve got it cached) and apply it to the iPhone.

The advanced settings page also allows you to set a proxy for your communications. I’ve not had a chance to play with this setting yet to see what kind of security enhancement can be gained from this. In theory it would be nice to force ALL communications over an SSL secured proxy. This could then connect back to a trusted system to give you an extra layer of protection between your phone and home base. When travelling to a possibly dangerous environment (I’m thinking China, Russia, Ukraine, etc…) it would be nice to feel just a little bit more secure.

The good thing about profiles is that you can add and remove them at will. You can also have more than 1 profile active on the iPhone at once (as you can see I’ve got 4 currently). This allows you to add and remove them whenever you need to. It also means you can have a profile that applies your security settings and separate ones that apply just the APN info (as it’s likely to change more often than you security configuration). I’ve not had a chance yet to look at what happens when you set multiple profiles to contain settings that clash. I get the feeling that the LAST profile applied will override the earlier ones, but at the moment that’s just speculation on my part.

.mobileconfig

The files you export from the iPhone configuration tool are simple XML files. So if you find yourself out and about without the tool, you can still open the file up in a text editor and change the settings as required. If you do a Google search for “mobileconfig iphone” you’ll find a number of sites discussing the format. You can also checkout the enterprise deployment documentation HERE for more hints. You can also download the configuration tool from the same location (Windows / OSX only).

Edit: After posting I did a little followup on the contents of the .mobileconfig file. When looking at the files created to implement specific APN settings, I noticed the following string s in the XML :

 <key>apns</key>
 <array>
   <dict>
     <key>apn</key>
     <string>payandgo.o2.co.uk</string>
     <key>password</key>
     <data>
     cGFzc3dvcmQ=
     </data>
     <key>username</key>
     <string>vertigo</string>
  </dict>
</array>

I can almost see people holding their heads in their hands. Yes, the password is stored Base64 encoded. I can understand why Apple have done this (to avoid issues with special characters corrupting the XML). However Base64 isn’t encryption. Luckily the APN settings are usually publicly available. However the .mobileconfig file can also contain data such as WPA keys, mail account passwords, and even LDAP and Exchange server settings. Surely these are protected in the XML by default right ?

<key>LDAPAccountDescription</key>
 <string>LDAP Account</string>
 <key>LDAPAccountHostName</key>
 <string>server</string>
 <key>LDAPAccountPassword</key>
 <string>SecretLDAPpassword</string>
 <key>LDAPAccountUseSSL</key>
 <true/>

That’s what we like to see. Clear text passwords… However it’s not all bad, there is a solution, even if it’s not the default. When exporting the .mobileconfig file from the iPhone configuration tool, you can select to sign and encrypt the file. The downside of this, is that you need to tie the .mobileconfig to an iPhone that has been registered in the iPhone configuration tool. This may not always be convenient, especially when your CFO is shouting that his wireless settings are wrong as he’s waiting for the 9th hole at the local golf club. Still, at least Apple have thought about the security risks. When creating a single profile for your entire corporation however, you’ll either need to register each iPhone in the configuration tool before exporting the file, or use the less secure, unencrypted, option.

So, if you’re a corporate using this feature for your CEO’s iPhone, remember to store the .mobileconfig in a safe place and use the sign and encrypt option (not the default, at least in my testing). If you’re a penetration tester, add this filetype to your list of files to look for next time you exploit a users system. You never know what you might find. If you want to know how bad it really is, try the following Googledork “filetype:mobileconfig”.

→ 5 Comments

Posted in Security, Technology

Tagged , , , ,

Find files between 2 dates

Posted on November 29, 2009 by ChrisJohnRiley| Leave a comment

I thought I’d share a little tip I found recently. I was searching for a way to find files created between 2 dates on a Linux box. There’s a lot of reasons you might want to do this. Maybe you need to archive some files, maybe you’ve been breached and need to check what files have been modified. Whatever the reason, these are the commands to run that will do the job for you.

  • touch -m -t 200901010000 /tmp/startdate
  • touch -m -t 200801012359 /tmp/enddate
  • find . -newer /tmp/startdate ! -newer /tmp/enddate

The touch commands will create 2 reference files with the timestamp 01.01.2009 00:00 and 01.01.2009 23:59. Using these reference files you can then run the find command to find everything newer than the first file, but NOT newer than the second file. Remember to delete the files from /tmp when you’re done ;)

  • rm /tmp/startdate /tmp/enddate

I’ll try and write-up a script for the PenTester Scripting project when I get some time.

→ Leave a comment

Posted in Security, Technology

Tagged , , ,

Filling your ipod…

Posted on September 5, 2009 by ChrisJohnRiley| 5 Comments

Over some drinks at the last CERT.AT meeting in Vienna, the topic of security podcasts came up. It’s a topic that seems to be discussed a lot, and everybody has there own set of favourite podcasts that they listen to. So I’ve finally had time to sit down and go through my podcast list to pull out some of the ones I feel are worth listening to. Podcasts are a personal thing. Some people like highly technical podcasts, other like more operational style topics. I try to mix them up a little to get a bit of everything. Hope you enjoy, and if there’s something good that’s not on my list, please let me know. I can’t promise I’ll listen, but I’d be happy to try it out.

  • Social Media Security Podcast –> iTunes Link

    • Social Media Security [24.12.2009: Not currently active]
    • Lots of great social media tips and tricks…

  • Eurotrash Security Podcast –> iTunes Link

    • Explicit: Security interviews and news [24.12.2009: Newly added]
    • Hosted by Wim Remes, Dale Pearson, Craig Balding, and Chris John Riley

  • TRACsec Podcast –> RSS Link

    • Security interviews and news [24.12.2009: Newly added]
    • Hosted by Arron “Finux” Finnon, Tom Mackenzie, and Chris John Riley

  • BruCON Podcast –> iTunes Link

    • The official Brucon conference podcast [24.12.2009: Not currently active]

  • Cloud Security Podcast –> iTunes Link

    • Cloud security news, events, analysis and interviews
    • Hosted by Craig Balding & Chris Hoff

  • Crypto-Gram Security Podcast –> iTunes Link

    • Audio version of Bruce Schneier’s Monthly Crypto-Gram Newsletter

  • Cyberspeak –> iTunes Link

    • Computer crime and forensics podcast

  • Exotic Liability –> iTunes Link

    • Explicit: Exotic Liability will push you into the new generation of Security
    • The only podcast to merge stripper jokes with security topics

  • GRM N00bs Security Podcast–> iTunes Link

    • The GRM n00bs chat about various security topics
    • New podcast, a little rough around the edges, but hey, I don’t see you (or me) doing any better ;)

  • (HPR) Hacker Public Radio –> iTunes Link

    • Explicit: Technology, Open Source, Hacking –> Various topics, released daily – Community Driven
    • Checkout the website for more information on how to take part
    • See episode 315, 420 and 445 for my contributions (so far…)

  • Hak5 –> iTunes Link

    • Video: Put together a band of IT ninjas, security professionals and hardcore gamers, Hak5 isn’t your typical tech show

  • Internet Storm Center Threat Update–> iTunes Link

    • Monthly podcast covering current network security threats

  • Network Security Podcast –> iTunes Link

    • Podcasting talking about the security issues that are relevant today such as consumer privacy and PCI-DSS.

  • OWASP Security Podcast –> iTunes Link

    • Join a wide variety of web application security experts as they examine the multiple aspects of application and software security.
    • Also posted are audio recordings from OWASP conferences

  • Pauldotcom Security Weekly –> iTunes link

    • IT Security news, research, vulnerability discussions and interviews –> one of the best podcasts around
    • Checkout iTunes for a video feed also (not updated often)

  • Risky Business –> iTunes Link

    • Australian podcast discussing the latest security news, with interviews and discussion peices.

  • RB2 (Risky Business 2)–>Feed Link

    • Recorded conference presentations, single-shot interviews with industry players, freelance contributions and more.

  • SANS Internet Storm Center StormCast –> iTunes Link

    • Daily microcasts sum,marizing information security issues of the last 24 hours
    • Short and sweat. Great to keep yourself up-to-date on new attacks and issues

  • SecuraBit –> iTunes Link

    • Explicit: Computer security podcast brough to you by Anthony Gartner, Chris Gerling, Chris Mills, and Jason Muellner.

  • Security Justice –> iTunes Link

    • Explicit: Discussing security regarding technology and computers but also providing information and news about physical security.

  • SMBMinute –> iTunes Link

    • Technology for SMB’s

  • SpiderLabs Radio –> iTunes Link

    • Monthly DJ Mixes and interviews with Spiderlabs security professionals
    • Mostly music, but worth it for the interviews even if you don’t need music to hack to ;)

  • Tenable Network Security –> iTunes Link

    • Official podcast of Tenable Network Security and the Nessus vulnerability scanner
    • Corporate podcast. Newly formed with Paul from pauldotcom.

  • 2600: The Hacker Quarterly–> iTunes Link

    • The Hacker Quarterly. Combined feed of Off the Hook and Off the Wall shows.
    • Lots of fundraisers, but occassionally interesting content

  • Midwest Teen Sex Show –> iTunes Link

    • Non-Security, hilarious/VIDEO: Podcast for teens and adults covering the wonderful, awkward, stimulating, sticky world of sex.
    • Trust me, you WILL laugh a lot. Unless of course you hate sex and jokes, in which case, don’t even click the link ;)

Well there it is, my shortened list of security podcasts (currently). I tend to switch and change depending on whats happening at the time and what my schedule is like. I’ve also skipped a few that don’t seem to be updating very regularly as their is a chance they’re off the air (blue box podcast, sploitcast spring to mind). I also snuck in one non-security podcast at the end. Give it a shot, it’s hilarious in an educational and strange way.If you’re into Linux as well, checkout the guys at Jupiter Broadcasting.

As I said before, if you’ve got some podcasts (good ones that is. Please don’t link me to Security NOW) that aren’t on my list, just let me know, and I’ll give them a shot.

[24.12.2009: Updated]

→ 5 Comments

Posted in Security, Technology

Tagged

Fixing Cydia

Posted on July 19, 2009 by ChrisJohnRiley| 27 Comments

At some point in the last 24 hours Saurik released a couple of updates to Mobilesubstrate through Cydia. Usually I try to keep updated with the latest and greatest (I’m a technology junkie) so I ran the upgrade will I grabbed my morning cup of tea (I’m also English after all). Normally after an upgrade you’ll see a prompt to restart springboard, however with this update the phone rebooted part way through the install. A worrying signal. After the reboot everything seemed to be fine, except Cydia refused to start fully. After showing the default Cydia screen fir a few seconds, Cydia would disappear.

After a couple of reboots to make sure the issue wasn’t going to solve itself, I had a quick look on Saurik’s twitterfeed but he had no mention of the issue. Several followers however were having the same issue. Time to find a solution.

I dropped to the terminal (although making an SSH connection would also have done the trick) and su’d to root. For those new to this the default password for root is alpine and if you’ve upgraded to version 3.0 this WILL have been reset. So change the root and mobile users passwords using ‘passwd’ before somebody else connects and does ;) Anyway, I digress.

After getting root access it’s time to see what state the mobilesubstrate and cydia packages were in. After an ‘apt-get update’ (to get the updated package lists) and and ‘apt-get install cydia’ it looks like the package is corrupted, as I’m prompted to run the dpkg configure

dpkg --configure -a

After this is completed, I reran the ‘apt-get install cydia’, and then an ‘apt-get upgrade’ to reinstall the failed mobilesubstrate and  in my case the new VoIP 3G app. After another reboot (type reboot at the prompt or whatever your preferred method is) things seem to be running fine again.

For those with short attention spans .:

  • Shell access (terminal or ssh)
  • Su to root
  • dpkg --configure -a
  • apt-get update
  • apt-get install cydia (if this fails add –fix-missing)
  • apt-get upgrade (to install mobilesubstrate correctly)
  • reboot

I hope this solves your issues as easily as it did mine. Let me know if you have any issues.

Update: There are a few other guides going around telling you to connect the iphone to your system (or useiFile) and then delete specific files. I’ve not tested these fixes, but the chance of deleting files you need are always there. I’d suggest using the easy fix using apt-get before trying the file deletion route. However it’s a personal choice.

Update: As a few comments have noted, the nice people at wordpress reformed the -- into a single – when displaying the page. This should now be fixed using the magic trickery of HTML comments to split the two characters ;) –>

→ 27 Comments

Posted in Technology

Tagged , ,

Protecting your browsing with iPhone SSH tunnels

Posted on June 21, 2009 by ChrisJohnRiley| 19 Comments

Most of the time I feel relatively secure when I’m browsing the web or checking twitter on my iPhone. That said, I rarely use the built in wireless for these purposes, and rely instead on the reasonably good 3G network in Austria. When I’m out of the country I usually try to buy a pay-as-you-go sim card and pay for the daily data transfer. This isn’t as expensive as you’d think. For example in the Netherlands it costs around €3.50 per day of data transfer. Not cheap if you’re using it long-term, but if you’re only there for a couple of days it’s a lot cheaper than paying for a hotel WLAN that’s insecure and only works inside the hotel. Still, this solution doesn’t work everywhere and isn’t for everyone. The fallback is to use whatever wireless you can find, insecure or not. This is something I’ve been fighting with for a while now. Stemming (mostly) from my unwillingness to setup a VPN server (my home ADSL isn’t good enough quality, and doesn’t have a fixed IP) or pay a huge price for a VPN solution through my existing hosting provider (thanks for the cheap hosting Dreamhost).

iphone_http_proxyThe iPhone (at least version 2.2.1) supports the use of HTTP proxies when connecting via a wireless connection. This is great. Surely I can setup an SSH Tunnel to my server and tell the iPhone to use this as a SOCKS proxy. As with everything on the iPhone however, simple always turns into complicated very quickly. I experimented with this solution and found that the HTTP proxy support was really just that, HTTP proxy support and nothing else. So back to the drawing board. I searched for another solution and settled on using the 3proxy application (in cydia for those lucky enough to have a jailbroken iPhone) to setup a local HTTP proxy.

A few requirements to get this up and running on your iPhone.

  • A Jailbroken iPhone (or iPod Touch)
  • SSH Client installed
  • 3proxy (available in cydia)
  • terminal application
  • An SSH server (setup for either password or certificate access)
  • Backgrounder (or some other way to run commands and have them running in the background)
  • OPTIONAL: iFile (easy file editing)

Starting off we’ll take a look at the configuration of 3proxy. By using the following configuration you tell 3proxy to forward all traffic to a second proxy server, this time a SOCKS proxy (in this case my SSH tunnel).

#!/usr/bin/3proxy
daemon
auth iponly
log /var/log/3proxy.log D
rotate 5
fakeresolve
internal 127.0.0.1
allow * * 127.0.0.1
parent 1000 socks5+ 127.0.0.1 8081
proxy -p8080 -a -i127.0.0.1

The quick rundown on the above configuration.

  • #!/usr/bin/3proxy – Tells the script what interpreter program to use
  • daemon -  Tells 3proxy to run as a background process
  • auth iponly – sets the authorization to be ip restricted
  • log – Setup a log that rotates daily (the D option)
  • rotate 5 – Sets the number of log files to keep before rotating
  • fakeresolve – Tells 3proxy to route DNS lookups through the proxy
  • internal – Listen in the internal interface only
  • allow – Currently set to * for all (you can limit this by username/password or IP, however this caused issues in testing)
  • parent – This is where we’re setting the next proxy in the chain (1000 is always use this parent, SOCKS5+ is the type and then the SSH tunnel listening ip and port)
  • proxy – this final command tells 3proxy to start a proxy on port 8080 using anonymous proxy mode (-a) and listen only in internal loopback

You can find more configuration information on the 3proxy website. Although leaving the allow set to * (all) is a concern, remember that the proxy is only listening on the localhost address and from outside the port is blocked.

iphone_portscan

Now that we’ve got the 3proxy.cfg file saved (mines stored in /usr/bin with the 3proxy executable) you’ll need to run chmod +x to make it executable. Next up is the SSH Tunnel, and doing this on an iPhone isn’t much different to a normal linux system (just harder to type for obvious reasons). I opted to add a certificate for quick easy access and restricted access to the certificate to the root user on the iPhone (you have changed your root password right ???). I added the private key to ~/.ssh/id_dsa (or id_rsa, your choice) and setup a bash script to kick off the SSH tunnel (typing that command each time gets boring fast).

ssh -D 8081 -N -C username@remotehost.your.domain -2 -p 64000 -i /home/root/.ssh/id_dsa

The above command is a simple SSH tunnel setup to connect to port 64000 on remotehost.your.domain and logon as the user username using the certificate file stored in /home/root/.ssh/id_dsa. It will then setup a local listener on port 8081 and dynamically route all traffic coming to this port through the SSH tunnel. As we’re treating the tunnel as a SOCKS proxy we don’t need to have anything else setup at the other end (no other proxy server waiting to route the requests) although you could setup privoxy or any other kind of proxy if you wanted more control.

So, now that we have the two parts of our configuration ready we just need to drop to the shell and kickoff the SSH Tunnel (using your bash script), and then startup the 3proxy using the /usr/bin/3proxy.cfg command. I’ve linked it all into a single bash script to make things a little quicker.

In testing Safari works pretty well (minor decrease in performance as you’d expect). Twitterfon was the second application I tested. Although this follows the HTTP proxy rule, it still insists on doing DNS lookups for advertising outside of the proxy. This is also the case for a couple of other applications. Mail doesn’t follow the HTTP rules, however you can easily setup additional 3proxy ports for these, or use SSL and make sure your DNS is all piped over the local listener and through the SSH tunnel (3proxy supports a DNS caching proxy, tcp and udp forwarding proxies also).

Safari No ProxyTwitterfon No ProxyTwitterfon Through Proxy

Supported:

  • Safari
  • Twitterfon (partially: Advert DNS lookups are still a possible concern/attack vector)
  • Cydia
  • AppStore
  • iTunes
  • Youtube
  • Weather
  • GRiS
  • WordPress (partially: As with the Twitterfon issue, the DNS appears to ignore the HTTP proxy settings)

Obviously these were just the applications I tested. I’d suggest running your own tests to ensure that you’re seeing the same results.

Not-Supported:

  • Mail (setup a port forwarder to achieve support for email)
  • Siphon (This is a real disappointment)
  • F-Stream
  • … probably more, so your mileage may vary

If you test any other applications please let me know and I’ll add it to my list.

Once you’ve finished using the SSH Tunnel and proxy, remember to kill -9 them using the console.

TODO:

  • Test with alternative “allow” settings to restrict access further (username/password too easy)
  • Prevent initial DNS lookup on SSH Tunnel (i.e. dyndns service)
  • Log Bug with Twitterfon regardin DNs lookups
  • Find an easier way to trigger the tunnel & 3proxy build-up/tear-down
  • Resolve issue of tunnel disconnecting when screen gets locked (FOR loop ???)
  • Use the tunnel for 3G connections (paranoid much !!!)

→ 19 Comments

Posted in Security, Technology

Tagged , , ,