Saturday, April 29, 2017

Hacked!

When people get hacked, they often asked me if I hacked their system (because I work as a profession hacker)? The answer is NO. I don't have time to hack stupid stuff.  I don't hack for free.  And I don't hack illegally. That's what losers do.

Most often the causes of people being hacked are:

1. they received an email that says they've won $10 million. "Please click here to receive." lol
2. they click on a popup that says their computer is hacked and to install the "anti-virus" software from the popup to clean. often the free "anti-virus" software is the trojan. even if it's not free, it's a scam for people to buy unnecessary software.
3. people are downloading software, music, and movies illegally. STOP IT. that's how people most often get hacked. they often use some kind of torrent software
4. people visiting risky websites and clicking on them.

5. opening an attachment from a friend that contains a funny joke

People should have 

a. a restrictive firewall up
b. anti-virus software running
c. update the software on their system to patched versions
d. and don't do any of the silly things listed in 1-5

Tuesday, March 7, 2017

Network Pen Testers

To me it seems crazy that in this day and age, there are tons of certified network pentesters holding jobs as pentesters yet they do not know how to use metasploit command line or even modify a script on exploit db to make it run correctly.

I'm not even asking them to be able to modify or even write a custom metasploit module.  Just be able to use the tool.

The amazing thing is there are many self-proclaimed "elite hacking teams" at companies out there who don't even know how to use port forwarding when testing a remote closed network.


Network Vulnerability Scanners

There are many network vulnerability scanners out there.  Many of them are poor quality.  For instance, one particular tool lists hundreds of vulnerabilities for a service running on the network simply based on the fact that version banner states it is a certain version.  These tools do not check for a vulnerability.

That's right.  Many of these tools do not check for a vulnerability.  Instead they look at version the number on an Apache web server or a MySQL server and then list hundreds of false positives.  The version number could be incorrect and/or patches may have been backported.  This is no different than static code analyzers that try to impress users with thousands of findings in fancy demonstrations that are false positives.

These tools are a waste of time and energy.  Get yourself a real tool that actually does a vulnerability check.

Thursday, July 3, 2014

QualysGuard Private Cloud Platform Security Architecture and Pen Test Review

The QualysGuard Private Cloud Platform (QG PCP) makes many promises, one of which is that  vulnerability scan data can be hosted by a private cloud platform in a client's data center and under the client's control.  If taken at their word, this may seen promising, but the reality is that Qualys still will have to manage this platform remotely.  By doing so, they will have access to this data remotely and can pull it down to their site as needed.  Needless to say, Qualys requires the client to provide a backdoor to the system.

The Qualys PCP equipment is leased and never sold to the customer.  There are many legal issues with this which allows them to access their equipment.  They require the customer to give them remote access in order for them to manage it remotely.  That is a requirement and not an option.  They keep it a big secret how it is managed.



Remote Access

What kind of remote access to the QG PCP do they require?

1. Persistent iVPN tunnel

2. VPN remote access account




Qualys still has the means to pull the data back to Qualys through SSH/SCP even though it is hosted on a customer site.  In fact, Qualys does not allow the customer to monitor the network traffic being sent back to Qualys.  Such requests were flat out refused during a security assessment.  What they pull back is their business and the customer has no right to know.



Network Sniffer

Network monitoring had to be done outside of the QG PCP as Qualys did not allow internal network sniffing.  This traffic analysis did show a few weaknesses.

1. Emails were being sent to email server UNENCRYPTED.  Yes, one could see the message being sent as well as who the recipients were.  Emails were being back to Qualys through the Internet.  A lot of sensitive information were sent unencrypted including server names, configuration, scripts, running jobs, listening ports, full internal DNS names.



2. Internet connections from Indonesia were seen accessing the QG PCP even though it was supposed to be in a controlled access network in a data center



3. A lot of failed DNS requests to www.qualys.com and other qualys subdomains, looks like the system has not been fined tuned to be hosted at a client site.  The interesting thing is that it tries to do windows updates on its own by accessing the Internet.






4. Undocumented protocols used by the Qualys PCP; namely AppleTalk, CMIP-Man, and Feixin




5. syslog messages sent across the network unencrypted.  

Firewall Rule Analysis

Firewall rule analysis shows that SSH is allowed into the platform through VPN firewall as well as HTTP(S) protocols.


Internet Access

The Qualys PCP itself does access network traffic in and out of the controlled access network environment as seen in the diagram below.



1.    The Qualys PCP Service Network requires outbound communication for
a.    NTP – Time Synchronization
b.    DNS – Name Resolution
c.    SMTP – Email
d.    WHOIS – External Internet
e.    Daily Vulnerability Updates - External Internet.



WHOIS pulls information from the Internet and Daily Signature Updates are pulled from Qualys through the Internet on port 443.  In effect, the PCP is pulling information from Qualys through the Internet to retrieve updates.  A man-in-the-middle attack could intercept the update and instead return a malware update to the Qualys PCP provided that a vulnerability exists in the platform.  

2.    The physical scanners communicate to the Qualys PCP.  This requires that inbound port 443 be opened on the PCP.  Physical scanners in the DMZ also need to communicate to the PCP on port 443.  Access to the PCP from the DMZ increases the risk.

3.    Qualys SOC accesses the PCP through iVPN and VPN connections from the Internet for maintenance and support.



Virtual Scanners
A sniffer placed on a virtual scanner showed that it chose to use SSLv3, which is deprecated, by default on some servers to communicate to the Qualys PCP.  In particular, it uses SSLv3 with RC4-MD5.  MD5 is obsolete.  Qualys documentation claims they use TLSv1 and the latest modern secure protocols.

Application Analysis

Perl API

Application analysis was done by running Perl scripts against the qualysapi server and testing for vulnerabilities.  The server itself was found to be vulnerable by accepting login credentials for API requests via base64 encoding and passed through plaintext HTTP.  This could result of loss and capture of Qualys Admin credentials which could result in access to vulnerability scan results.

Web Application 

The Qualys Web Application tests resulted in a number of vulnerabilities.

Qualys PCP Internal

Additional vulnerabilities were found inside the Qualys PCP infrastructure itself.  It was found to be very insecure.  


Friday, April 18, 2014

Yahoo's Downfall

I predicted Yahoo's downfall in 2008 and told my coworkers about it.  The prediction had nothing to do with looking at financials.  It was being displeased with how crappy the Yahoo service is.  I pretty much was using yahoo for more than 4 years and got fed up with it and switched to Google.  A bad service isn't going to last.  Now the question really is if Marissa Mayer can save them?

Yahoo in Turmoil

Monday, March 17, 2014

Having a Safe Online Shopping Experience

Online shopping can be quite fun but it can also be quite dangerous as the Internet is full of scam websites posing as legitimate websites.  Some of these fraudulent websites are so well done that it looks legit.

Here are some pointers on having a safe online shopping experience:

1. Stick with well known and trustworthy companies when giving them your credit card and personal information.  Such companies are Google, Amazon, Microsoft, and a few others.

2. If there is a site that is not on the trusted list, do a google search for the name of site plus the words scam fraud reviews.  For example, google this: badwebsite.com scam fraud reviews.  Look and see if there are any/many bad reviews.  Some good reviews could be fraud as well, so use best judgement and common sense.

3. Make sure you have anti-virus with Internet protection from malicious websites turned on.  This does *not* guarantee 100% protection from malicious websites nor from virus infection but it certainly increases your chances.  Firewall is turned on.

4. Be careful of malicious and suspicious websites.  Don't think you are invulnerable and click on any site you want.  There is such a thing as drive by downloads that some anti-virus will not detect.  Yes, just by visiting a bad website, you could be infected and compromised even with all anti-virus, anti-malware turned to the max.  Be careful of what websites you visit.  If you google illegal software and music downloads, then most of the sites that turn up are bad websites.  If you google buying illegal drugs, there's a 99.9% chance you will run into a scam site.

5. Use McAfee Secure Search which filters out malicious sites or sites that have been hacked from your search results.  This is a McAfee Site Advisor plugin for your browser.  Google Safe Browsing is a similar service.  Having used both McAfee Secure Search and Google Safe Browsing, they seem to block out only a portion of malicious sites.  So many scam websites were still shown in the search results.  Unfortunately, it does not screen out all bad websites so you must still exercise caution.

6. Verify the reliablility and trustworthiness of the website by entering the web site address into:
  1. McAfee Site Advisor. http://www.siteadvisor.com
  2. scamadvisor.com
  3. scamvoid.com
  4. scamanalyze.com
  5. ripoffreport.com
  6. complaintsboard.com
Verify there are no bad ratings.

7. How long has the website been up?  If it's been up for less than 3 years and has no bad ratings, there could be a cause for concern.  Usually bad ratings take a few years to show up.  Most bad websites change their domain names every 6 months to avoid being blacklisted and having bad reviews written about them.  It's like how companies involved in fraud constantly change their names to avoid known detection. lol.

8. Look for a few good ratings on the website that sound legit.  This step requires some common sense. :)  Beware that there are a lot of fraud review sites set up by scam companies.  Make sure that the reviews you are reading are from a well known and respected community boards with a variety of opinions.  If some web site claims or reviews sound too good to be true, then it probably is.  Be careful in those situations.

9. When in doubt, don't buy.

10. Assuming nothing bad shows up so far, see if the site allows paying through a safe payment system such as Amazon Payments.  See if the website has that option.  If it does not, it may not be worth doing business with.  This way you are not sending your credit card information to them but you are sending PII (personal identifiable information) to them and that should be done with caution when sending such information to unknown random website on the Internet.  By the way, you are not likely to get your money back if you use Paypal and got scammed.

Best of luck to you.  While this is no guarantee you will have a safe and enjoyable online shopping experience, it certainly improves your chances by a dramatic factor.  If this sounds like too much work, then  just stick with point #1 and stay with well known trusted sites.