Blog

  • Ransomware, should you really be bothered?

    What is a ransomware attack?

    Simply put, it’s a virus attack that encrypts all the files on your computer/laptop and makes it impossible to access your data. Even though the file is still sitting on your computer/laptop, it’s just not sitting pretty anymore. You are not in a position to really do much till the time you cough up the money(read ransom) to decrypt it. This is worse, as you can’t really report your data stolen; because it’s not. Your files are just where they were, before the attack. Just not the same files anymore, as you cannot get access to your data. If you have backups, fantastic. Screw these a**holes, you can restore your data in a few hours. However, we do hope that backup drive was stored in a safe place after your last backup, and not attached to your computer at the time you got infected. If you fall in the latter category, you have just lost all your backups as well to ransomware.

     

    Ransomware
    This is not funny!

    What do you stand to lose from it?

    Everything! You might think you do not have much saved on your computer, think again; what about pictures from your last vacation? Documents and presentations you worked on for weeks/months/years? Pictures of family time spent together? What would losing that mean to you? These must be priceless, to say the least.

    Hey, I have an antivirus. I am protected!

    One word answer, NO. The reason being the way Antivirus software work. Antiviruses work by storing a massive database of digital signatures of known viruses. When you scan your computer, it checks each file against this digital signature list to see if it comes up with a match. If it does, it flags the file as a threat and attempts to quarantine and delete it. To detect previously unknown viruses Antiviruses use heuristic analysis. They study the behaviour of the software that is presently installed and running on the computer and if they find any suspicious activity, the antivirus flags it as a potential threat. This approach while effective, does not guarantee that every instance of an attack will be caught. A ransomware attack, might just catch an antivirus off guard.

     

    You think you're safe. You are not.
    Ransomware : Antivirus is not complete protection

     

    So what can you do to stay safe?

    • Patch, Patch, Patch.  Make sure your Operating System is patched at all times. Never leave installing updates for later.
    • Make sure you have security software installed and definitions for those are updated daily. Scan your computer on a regular basis.
    • Maintain regular backups of your data on an external drive and make sure to disconnect the drive after completing your back and store it in a safe place.
    • Exercise good judgement when downloading attachments sent via emails. Not viewing a few cat videos, certainly will not ruin your day. But downloading a malicious file, just might. So use caution.
  • Intercepting proxy and how to use it?

    Given that you are here, we assume you have heard the term intercepting proxy before? If not, let us help you understand what it is and more importantly, what it does.

    What is an intercepting proxy?

    An intercepting proxy is an application that sits between your browser and the web application. Why would you want something like that in the first place? It let’s you view the requests/response chain that is normally hidden by the browser. Still having problems understanding it, continue reading, we’ll simplify it for you.

    An analogy

    Think of it like a funnel(intercepting proxy), that stands between the glass you hold in your hand(web browser) and the bottle on the table(the web application). The liquid contents(server side data) have to flow from the glass through the funnel to reach the bottle. That is exactly what an intercepting proxy does. Along with allowing you to view it, you guessed right, it allows you to edit the information as well.

     

    Intercepting Proxy
    An intercepting proxy is much like a funnel

     

    There are quite a few intercepting proxies out there, the ones that we normally use are

    1. Burp Suite
    2. OWASP ZAP (Zed Attack Proxy)

    For all future examples, we will be using Burp Suite and there is no particular reason for doing that. It’s just a matter of preference and we use Burp Suite a little more than we use Owasp ZAP.

    This is what Burp Suite looks like once you have run the application. It’s incredibly feature rich and over time we will help you use it’s features. But for now, let’s just configure it to be used along with the browser.

    Intercepting Proxy
    Burp Suite Intercepting Proxy

    To start things off you would need to configure your network settings in the browser to use Burp Suite, to funnel all the data through it. For our browser, we will be using Mozilla Firefox for this tutorial. We would suggest installing an extension, Proxy Switcher to make it easier to swap between using/not using a proxy as and when needed. You can install Proxy Switcher from the link provided above.

    Once you have done that, now all that’s left is for the browser and the intercepting proxy to talk to each other. So let’s configure the intercepting proxy first,

    Click on the Proxy tab -> Options ->Under Proxy Listeners, click Add, Enter 8080 as the port number, Click OKintercepting proxy configuration

    What is this 8080 you might ask?

    We instructed the intercepting proxy to listen to port 8080 for any signs of data traffic. You can choose any port for that matter, other than ports 0-1023(For ports below 1024, the listener does not start). Hit OK once you have chosen a port, and make sure that the check box below running is ticked. If not, you can start it by just clicking on the box. Your proxy window should look like the screen shot below. That’s it for the intercepting proxy!

     

    Proxy Listener is working
    Proxy Listener is working

    Moving on to the browser. Click on the Proxy Switcher icon in the tool-bar of the browser, if you computer does not use any proxy of any sort, by default No Proxy will be selected. No Proxy means that there is nothing configured to intercept the traffic between the web browser and the web application. We need to change that in order for our Intercepting Proxy to start seeing data. Click on Manual and under HTTP Proxy type in 127.0.0.1 and 8080 in the port field.

     

    Browser Configuration
    Browser Configuration

    Let’s try visiting our first website. Let’s head over to BBC

    Once you type the address in the address bar and hit enter, the Intercepting Proxy (Burp Suite) automatically catches the request.

     

    Intercepted request on bbc.com
    BBC Intercepted Request

    Burp Suite shows you what the browser really does in the background when it makes a request on your behalf. It shows the request in raw form, allowing you to edit the request if needed. More on this in future posts.

    Click on Forward button in Burp Suite, to allow it to forward the request to the BBC server. Now we are sure that Burp Suite, our Intercepting proxy is sitting in the middle of the web browser and the web application. Let us try to visit a site that has HTTPS enabled. HTTPS stands for Hypertext Transfer Protocol Secure. If you assumed that this is a secure version of HTTP, you are absolutely correct.

     

    Certification Error - Connection is not secure
    Connection is not secure

    Why do sites with “HTTPS” not work?

    You will soon realize that you cannot access any websites that have “HTTPS” in the protocol portion of the address bar. This is because there is no Certificate Authority signing the SSL certificates. We need to install Burp Suite’s CA certificate as a trusted root in the browser to make this work.

    To do that, type in https://burp in the address bar of the browser and hit enter.

     

    Burp CA CERT
    Burp CA CERT

    Click on Advanced -> Add Exception and you will be taken to the web page from where you can download the CA Certificate. Click on the CA Certificate link on the page, and it will show you a dialog box to download the certificate file cacert.der. Click Save.

    CA Cert file
    CA Cert File

    The last step is to add this certificate as a trusted root in the browser. For this purpose, go to

    Preferences – > Advanced -> Certificates -> View Certificates -> Import

    Navigate to where you stored the cacert.der file, saved previously. On the pop up that appears, select Trust this CA to identify websites.

    CA Cert to identify websites
    CA Cert to identify websites

    And now if you check again, your browser should load the “HTTPS” websites without much trouble. That’s it, you have successfully configured an intercepting proxy to listen to the traffic between your browser and the web application.

    This is the first step in our series to help with understanding the nuances of Web Security. We intend to make this as informative as possible, while still keeping it simple. An intercepting proxy is the first step in this journey, and that’s why it finds its way here. Hope you enjoyed this post. Stay tuned for more content on Web Security.

     

     

  • Website security needs skills, real skills.

    The need for website security has increased leaps and bounds over the last few decades. Every other day there are news reports of websites getting hacked, people’s mail accounts being stolen, credit card data being leaked; how do you make sure your website is not vulnerable?

    It’s difficult living in our times when it comes to anything to do with security, everything from cars to water purifiers are automated. All this automation comes at a cost, the cost of your personal privacy. Your privacy and that of others stands the risk of being compromised if exploited. In this day and age, when Chrysler Jeeps are getting hacked, ATMs are being hacked using smartphones to steal money; companies that have huge coffers of money are being taken down, how does an average Joe keep his/her website secure? Moreover how do you keep your digital identity safe?

     

    Stay safe on the Internet | website security
    Stay safe on the Internet | Digital Security

     

    “I always seem to always get hacked, how can I improve my website security?” – Most searched query

    Short answer? Find someone who can help you with your security. Not someone who can help fix your website once it’s hacked. Someone who can and would advise you on how to stop the attack in the first place. Not all hacking is something new and revolutionary, most of it is stuff that has been on the Internet for years. And that’s a fact. Time on time again, OWASP Top 10 has the same issues listed over and over again, just in different order(depending on where vulnerabilities are “trending” in the past few years, if we can say that). Someone who you can call up at 3a.m. in the morning(not that it should come down to this), and the voice at the other end of the line says, “Let me help you fix that”. And when they mean help, they should actually mean it. You should be able to trust the person at the other end of the line to pull you through.

     

    work together | website security
    Work together

    How do you know who to work with for your website security?

    Before we answer the question, allow us a moment to tell you what we feel are absolutely essential qualities needed:

    1. The right skill set
    2. Prompt to fix things when reported/discovered
    3. Trust

    The right skill set is obviously very important. If someone does not have the skills, then you need to find someone who does.

    How would you find someone with the skills you need?

    A lot of people out there have impressive profiles, that they wield around like a magic wand. It sometimes gets difficult to find out if a person actually knows what they are talking about. So how does find out people with the right skills? How would you know if they can walk the walk as well as talk the talk? The answer is this, you will need to ask them questions. Questions that evoke the responses other than the usual your business is at a 70% chance of taking a hit or that there is a huge risk to your data etc. What we would suggest here is to ask them to what are the business risks that could possibly affect your business. If they get all analytical and calculative and they cannot really explain it in layman’s terms, well then they might not have the actual practical experience you need. They need to be able to break down the difficult things into easy to understand language. They should be able to make analogies, because everyone who is good at what they do can break it down into smaller byte sized pieces. It does not take a genius to be able to do that. One famous analogy describing radio communication(Albert Einstein amongst others, including the Shah of Persia who are credited for this quote) , “You see, wire telegraph is a kind of a very, very long cat. You pull his tail in New York and his head is meowing in Los Angeles. Do you understand this? And radio operates exactly the same way: you send signals here, they receive them there. The only difference is that there is no cat.” (Albert Einstein)

    Prompt to fix things when reported/discovered? Why is this here?

    It finds its way here only because way too many people sit on bug reports thinking that it’s not that bad, that it’s not important enough to fix right away. And low and behold, some time later, the inevitable happens – website gets hacked. Snapchat , Target, Sony are all companies who knew about existing vulnerabilities within their infrastructure and did nothing. Nothing! When people take the time out of their daily lives to tell you about a vulnerability present in your infrastructure, you should get around to fixing it right away.

    Last question, how do I know “who” to trust?

    Trust is a big one here, probably the biggest one when it comes to website security. Having the right skill set and fixing things on time are non-negotiable for you to stay safe. However, all that matters little if you cannot not trust the person you are working with. So how you trust someone? Well there is no sure fire way to know right off the bat whether you can trust someone. It does get a little difficult answering that with a definite answer. We feel it’s easier to relate to it when thinking of it in terms of the comfort level. How comfortable are you dealing with the person? If you are comfortable enough, you would end up trusting the person. Also, you must consider alignment of interests. Do it serve the person’s interest to help you with security or does the person only care about his paycheck? It all boils down to whether you judged correctly, when enough water has passed beneath the bridge. Here we would like to quote the great Sufi sage, Mulla Nasrudin :

    Good judgement comes from experience, often, experience comes from bad judgement. | website security
    Good judgement

     

    You never really know who you can trust, without taking the first step. In time though, you should be able to see if the relationship works out well for you. Unless of course you hit a patch of bad luck and end up working with someone like Max Vision, in which case we would like to wish you the best of luck.

     

  • Starting SSH on boot Kali 2.x

    SSH won’t start at boot on Kali 2.0?

    Don’t worry, it’s because Kali 2.x is based on Debian 8, as opposed to Kali 1.x being based on Debian 7.

    Kali 1.x uses init/update-rc.d;

    Kali 2.x uses systemd/systemctl

    For Kali 1.x, the command is

    #update-rc.d -f ssh defaults

    For Kali 2.x, the command is

    #systemctl enable ssh.service

    Starting ssh on boot kali 2.x
    sudo systemctl enable ssh.service

    And that’s it, you are done. Feel free to leave comments

  • Create strong passwords that actually work!

    Every time we are faced with creating a new account on some website, we cringe at the thought of having to create one more “password”. Arrrrggggghhhhh!!!! It’s easier to reuse the same password I used last week, to sign up for the shopping site. One strong password for everything; that ought to work right?

    It works, till one account gets compromised. Since you used the same password on multiple websites, all of a sudden all those accounts also stand compromised. And going by the state of things today, that can happen real soon.

    So what are your choices, if not this?
    Well that’s where we come in, to tell you how to create strong passwords. We at SecurityJedi have been using strong combination passwords for as long as we can remember. The method used to create strong passwords is to take four unrelated words, string them together to form a strong password.

    Correct Horse Battery Staple
    Creating strong passwords

    Here is where we got the idea from. We have to admit, it’s a great way to create strong passwords. Now at this point some of you might be wondering how do I find four unrelated words? Well to be honest, they do not need to be completely unrelated, but something that you can relate to while still keeping it difficult to guess.

    Say for example you enjoy online shopping; four unrelated words you could choose could be, collar button sleeve cuff, that could be your password and that would be perfectly alright. It’s not so much as finding four difficult words to piece together, just stuff that you can relate to easier and yet make it a little difficult to guess at the same time.

    However, if you use a lot of web services, in no time you would be running out of memory space trying to remember all the passwords. In the event that you have a lot of accounts that need strong passwords, remembering all this data would require a lot of processing cycles of your brain. That by any measure, is not an easy task.

    Enter Password Managers.

    For the ones who have too many accounts to keep track of, we would recommend using a password manager. There are a few options to choose from, LastPass, Dashlane, KeePass etc. We use Lastpass and are quite impressed with it.

    LastPass - Password Manager
    LastPass

    It serves the purpose perfectly. All you need is to create one master(because you only need one, you can make it increasingly complex) password, to be used to login into LastPass. They have browser extensions for both Chrome and Firefox, so as to avoid having to login into the website. Once logged in, you can create passwords having varying degrees of complexity and of any required length. Password Managers like LastPass help you create secure passwords, that are increasingly complex and best of all, you do not have to remember any of it. It does make your life easier and certainly secure, just as we like it here at SecurityJedi.

  • Metasploit smb_login fails with status_logon_failure

    If you are using Metasploit and have ever tried running the smb_login module against a Windows XP box, chances are high that you have encountered the following error message.

    STATUS_LOGON_FAILURE (Command=115 WordCount=0)
    STATUS_LOGON_FAILURE (Command=115 WordCount=0)

    This will happen if you are running Windows XP in a non-domain environment. When running in non-domain environments, Windows authenticates all network logon requests to be authenticated as Guest instead of the local user account.

    Network Access : Sharing and security model for local accounts
    Network Access : Sharing and security model for local accounts

    To fix this,

    Start -> Run
    
    gpedit.msc
    
    Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options
    

    And in there, change the value of

    Network access : Sharing and security model for local accounts,
    

    from

    Guest only - local users authenticate as Guest 
    to
    Classic - local users authenticate as themselves
    

    That’s it, and you are done.

    Running the scan again, results in success.

    smb_login_success
    Success, SMB_Login Worked!

     

  • PostgreSQL accepting TCP/IP connections on port 5432?

    Just a short post for anyone who is having this particular error,

    PostgreSQL service not running
    PostgreSQL service not running
    Failed to connect to the database: could not connect to server:
    Connection refused
    Is the server running on host "localhost" (::1) and accepting TCP/IP connections on port 5432?
    could not connect to server: Connection refused. 
    Is the server running on host "localhost" (::1) and accepting TCP/IP connections on port 5432?

    We received this error when we created a new user account(KL) in Kali Linux to run as, rather than use the root account.

    The reason for getting this error is that the service PostgreSQL is not running on the box. So all we have to do is to start the PostgreSQL and Metasploit services.

    sudo service postgresql start; sudo service metasploit start
    Start services PostgreSQL and Metasploit
    sudo service postgresql start
    sudo service metasploit start

    To avoid having to type this in every time you reboot the box, you can just have those two services startup at boot.

    Configure PostgreSQL and Metasploit to start on startup

    sudo update-rc.d postgresql enable
    sudo update-rc.d metasploit enable
  • Easy way to tunnel VNC over SSH?

    Why would you want to tunnel VNC traffic over SSH?

    VNC as we know is a graphical desktop sharing system. It uses Remote Frame Buffer(RFB) protocol to remotely control another computer. By default, RFB is not a secure protocol. So in order to make it secure with encryption, we would need to tunnel traffic over SSH.

    To tunnel VNC traffic over SSH, the following requirements need to be met :


    Let’s first begin with the host computer and your first cup of coffee.

    1. Configure OpenSSH

    blackMORE Ops has a great tutorial on how to get this done. Have to say, it’s the best tutorial that we have come across. Here is a link to it, configure an OpenSSH server.

    2. Installing VNC software.

    apt-get install tightvncserver
    TightVNC
    sudo apt-get install tightvncserver

    For Kali Linux, we did not have to install TightVNC. It was already there. Next up, running TightVNC on the host computer.

    tightvncserver
    TightVNC

    In order to start TightVNC, just run the commands below. You will be asked to create a password to continue. This password you will need to access the host computer.

    tightvncserver
    Enter Password:
    Verify Pasword:

    Starting VNC at boot.
    You might want to start the VNC service at boot, rather than having to log in every single time you want to use it. In order to do that, copy the contents of the code below, create a file called tightvncserver and put in the following location “/etc/init.d/tightvncserver

    The following script was taken from, http://www.abdevelopment.ca/blog/start-vnc-server-ubuntu-boot.

    #!/bin/sh -e
    ### BEGIN INIT INFO
    # Provides:          vncserver
    # Required-Start:    networking
    # Required-Stop:     networking
    # Default-Start:     3 4 5
    # Default-Stop:      0 6
    ### END INIT INFO
    
    PATH="$PATH:/usr/X11R6/bin/"
    
    # The Username:Group that will run VNC
    export USER="<username>"
    #${RUNAS}
    
    # The display that VNC will use
    DISPLAY="1"
    
    # Color depth (between 8 and 32)
    DEPTH="16"
    
    # The Desktop geometry to use.
    #GEOMETRY="<WIDTH>x<HEIGHT>"
    #GEOMETRY="800x600"
    GEOMETRY="1024x768"
    #GEOMETRY="1280x1024"
    
    # The name that the VNC Desktop will have.
    NAME="my-vnc-server"
    
    OPTIONS="-name ${NAME} -depth ${DEPTH} -geometry ${GEOMETRY} :${DISPLAY}"
    
    . /lib/lsb/init-functions
    
    case "$1" in
    start)
    log_action_begin_msg "Starting vncserver for user '${USER}' on localhost:${DISPLAY}"
    su ${USER} -c "/usr/bin/vncserver ${OPTIONS}"
    ;;
    
    stop)
    log_action_begin_msg "Stoping vncserver for user '${USER}' on localhost:${DISPLAY}"
    su ${USER} -c "/usr/bin/vncserver -kill :${DISPLAY}"
    ;;
    
    restart)
    $0 stop
    $0 start
    ;;
    esac
    
    exit 0
    

    Replace <username> in the script above to an user name that you have on the host computer.
    Make the script executable

    sudo chmod +x /etc/init.d/tightvncserver

    Run the script so that it starts automatically at boot.

    sudo chmod +x /etc/init.d/tightvncserver
    sudo update-rc.d tightvncserver defaults

    Reboot the host computer and check if the TightVNC service is running. If not, you are doing something wrong, re-check your steps.

    ps -e | grep vnc
    Is TightVNC running? Yes, it is.

    To find out which port on the host computer where the TightVNC service is running, and the IP address; follow the steps below.

    ifconfig - To find out IP address of Host computer
    To find out IP address of the host computer
    Find out VNC port
    To find out the port number
    ifconfig
    sudo lsof -i -P | grep -i "listen" | grep vnc
    

    Ports 6000+N are used as X Server Port
    Ports 5900+N are used as VNC Client Port, and this is the port that we are interested in.
    For us, the IP address is 192.168.56.102 and the port number is 5901.

    Now that we have our host computer ready, let’s move on to the client computer. We are halfway through and you should be midway through your first cup.


    Client computer configurations

    1. Configuring PuTTY
    Double click on PuTTY, you should get a window like the one below.

    Enter Host Name and Save the Session for easy access later
    PuTTY Configuration

    Enter the Host Name, the IP address of the computer where TightVNC Server is installed.
    In our case, the Host Name is the address within the Host Only Address namespace in VirtualBox.
    Once that is done, enter a name for this session under Saved Sessions and then click Save. That will come handy when we have to configure the remaining settings.

    Next under SSH, on your left hand window, click on the + icon. Under there, click on X11.

    Check Enable X11 Forwarding

    Then move on to Tunnels, on the left hand window.

    Enter Source port, and Destination Port
    Tunnel configuration for the VNC connection
    Source Port : 5901
    Destination Port : <Host computer IP address>:<5901>
    Click Add

    Depending on your port number when your VNC session starts up, the value can change(5901, 5902, 5903 etc).
    Click back on Session, and hit Save(make sure your changes are being saved to the correct session). Once that is complete you are at the finish line. Your coffee must be starting to get cold now.
    Run PuTTY again, and this time double click directly on your saved session. In the screen below, login using your details.

    Run saved PuTTY session
    Run saved PuTTY session

    You should get a screen similar to the one below,

    PuTTY login screen
    PuTTY login screen

    Enter your details here, user name and password and you should be logged in. Next fire up the TightVNC viewer on your client computer.
    Under Remote Host, type in localhost:1 (1,2,3 depending on which port the VNC session is running, 5901,5902,5903 etc). In our case it’s 5901, hence localhost:1.

    localhost:1
    TightVNC Connection

    If it’s correct, it will show you the window for VNC Authentication.

    VNC Authentication
    VNC Authentication

    Once you enter the correct credentials, you should be logged in into your host computer over SSH. And by now, you should be done with your first cup of coffee. The second cup, well you should enjoy that for getting it setup correctly. If not set-up, you can sip that while troubleshooting errors/issues. 🙂

    SSH tunnel working
    SSH tunnel working

    Final Comments

    While most would not need to tunnel VNC connections over SSH, however like said before VNC is not a secure connection. Tunneling it over SSH, makes it secure, and well that is what we love.

    Thank you for reading. Hope this tutorial was of help to you. Feel free to fill in comments below.