Tuesday, 9 February 2016

It’s time that you – the vulnerable human – brush up on your social engineering skills with Pluralsight

Tuesday, 9 February 2016

We tend to get very focused on digital security controls; firewalls, antivirus, software updates and then all the usual practices I spend so much time talking to developers about, stuff like defending against SQL injection, cross site scripting and a whole raft of other attacks against systems. But the bigger risk – and it’s one that doesn’t get near as much coverage – is attacks against humans. Whereas most of the time we’re thinking about attacks against the systems, we tend to neglect weaknesses in the organic matter controlling them and as a result, social engineering attacks are enormously successful.

I’ve just wrapped up Ethical Hacking: Social Engineering and when reflecting on what I should write here, it was honestly hard to know where to even start. I’ll start somewhere that’s familiar to a lot of people – with this:

Scammer video

Read more

No, VTech cannot simply absolve itself of security responsibility

A few months ago, the Hong Kong based toy maker VTech allowed itself to be hacked and millions of accounts exposed including hundreds of thousands of kids complete with names, ages, genders, photos and their relationships to their parents replete with where they (and assumedly their children) could be located. I chose this term deliberately – “allowed itself to be hacked” – because that’s precisely what happened. In an era where major incidents such as Ashley Madison and TalkTalk were front page news in the mainstream press, VTech continued to run a service with such egregious security flaws as the SQL injection risk the hacker originally exploited, unsalted MD5 password hashes, no SSL encryption anywhere, SQL statements returned in API calls (it’s actually in the JSON response body of my post above) and massively outdated web frameworks. What I didn’t write about at the time but reported privately was that they also had multiple serious direct object reference risks; the API that returned information on both kids and parents could be easily exploited just by manipulating an ID. Here’s what I shared with VTech via the reporter who originally broke the story (this is about the available methods on one of their APIs):

One of these is getKids and all it needs is the ID of the parent. No authentication token, no authorisation that the user can actually access the kid’s details, nothing more than a sequentially incrementing number. There’s also getParent which does exactly the same thing so the bottom line is that you don’t even need a data breach because as it stands today, you can simply enumerate the API. As an attacker, I can request the details on every single parent and get name, email and post code then take that parent ID and get every single child they’ve registered.

Read more

Monday, 8 February 2016

Data breaches, vBulletin and weak password hashing

Monday, 8 February 2016

This weekend, I loaded five additional data breaches into Have I been pwned (HIBP) that had come from various forums running on vBulletin. These came via supporters that had collected them from data breach traders over the years and some of them dated back quite some time. I always go to great lengths to validate that a breach is indeed legitimate and one of the ways I do that is to take a real good look at the passwords stored in the system and ensure that they do indeed adhere to the sorts of password patterns we’re used to seeing (i.e. poorly chosen and often including the name of the site). Fortunately for my purposes here – and unfortunately for those who actually had accounts on these sites – vBulletin does a pretty sloppy job of storing passwords and I thought I’d use this as an opportunity to demonstrate just what I mean by that. I’ll also show how “salted hashes” can be created in a very weak fashion as used by vBulletin or a very strong fashion using modern adaptive algorithms.

Let’s take the Gamerzplanet breach which had over 1.2M accounts in it with the first ten passwords appearing as follows:

af48332ec7bae3b43c2f8c28f1b6479e:f\u
befd08dfd48fc13a47f5dcd467f4964f:$:}cL1SDYX$s+viF%MJ{w(W|nmG%IS
a92f7415b68d649f0e0314b149a8bc0a:5ze
10a9ef2ec83234eec337e557333f78f5:/Do
2fc88d6b7b827bec242a307604c1c161:27L
0101a55a81ff2a185d6a758ab0bce632:4fWN2/+I~&AW]UrMw\AM3pZJR55b#O
cb574910766230d9e4bfa979110b26e2:~KJ
504661de0decb40df6feaac4eed46884:|p|
618fbea1123e82ff547274e3134c0731:0 c
5e155f2a3b61528bd2c772ce7230ce35:@9]

The first thing you’ll notice here is that two of the rows are much longer than the others. What we’re actually seeing here is fixed length MD5 hashes on each row then a colon delimiter between the hash and the salt. Two rows have salts of thirty bytes, the other eight are only three byte long salts. Without knowing exactly what framework these had come from (although having my suspicions based on it’s prevalence in HIBP), I plugged the first value into a hash identification service:

Read more

Saturday, 30 January 2016

Thank you Waitrose, now fix your insecure site

Saturday, 30 January 2016

I had a follower send me a curious question the other day which if I paraphrase, went like this:

Hi, I was worried about the security of the Waitrose login form so I contacted them about it. They sent me a response but I’m not sure if it’s correct – can you shed some light on it?

Actually, yes, I can and frankly, it’s a bit of a comedy of errors. For those not familiar with Waitrose, they’re a large British supermarket chain bringing in somewhere around five and a half billion (with a “b”) British pounds a year. They’re huge and they have access to more than enough funds to have smart people get their security right… or so you’d think. Let’s start at the beginning and look at the front page of waitrose.com:

Waitrose login page served over HTTP

Read more

Tuesday, 26 January 2016

XSS’ing the security speaker panel via sli.do

Tuesday, 26 January 2016

One of the things I really enjoy about doing live events is the entirely random, unexpected things that can occur without any warning. In fact, I’m increasingly structuring my talks to present these opportunities, but this one was entirely unexpected:

This was whilst answering questions on a panel – a security panel – at ProgramUtvikling’s security day in Oslo last week (they’re the guys who run the NDC conferences around the world). I was sitting up there on the stage with Erlend Oftedal and Einar Otto Stangvik whilst the big screen behind us scrolled through questions asked by the audience using the sli.do app. The questions were being read out by Niall Merrigan until… he stopped in his tracks and I can’t recall whether his reaction was amusement or horror or a mix of the two, but turning around, we all saw the screen adorned with the XSS alert.

Read more

Tuesday, 19 January 2016

The impact of “Have I been pwned” on the data breach marketplace

Tuesday, 19 January 2016

I’ve been running “Have I been pwned?” (HIBP) for just over a couple of years now and to say that it’s exceeded my wildest expectations of what it might achieve is somewhat of an understatement. The volume of data it now holds is one thing, the many hundreds of thousands of notification subscribers is another and yet another again is the volume of traffic it serves, sometimes in the millions of visitors a day. But recently, the penny has dropped on something else it’s managed to achieve that I never expected; it’s impacting the market price of breached data.

Identities are valuable. Email addresses, passwords, physical addresses and phone numbers to name but a few data attributes all pose value to criminal elements. They enable access to accounts well beyond just those breached thanks to both password reuse and weak verification processes (read Brian Krebs’ piece last month on PayPal’s lazy authentication for a great example) plus of course provide malicious actors with essential elements required for identity theft. Whilst individual identities are valuable, full data breaches with potentially millions of identities can be a gold mine.

For example, back when I was dealing with the 000webhost breach, someone sent me this DM:

Tweet about 000webhost selling for $2k

Read more

Friday, 8 January 2016

PayPal and zero dollar invoice spam

Friday, 8 January 2016

I got a rather odd invoice via PayPal the other day, it looks like this:

PayPal spam email in a $0 invoice

Naturally the first thing I did was to look for spoof email indicators, but none of the usual suspects were showing up:

  1. It was from member@paypal.com.au
  2. The mail headers were legit
  3. The “View and Pay Invoice” button linked directly to https://www.paypal.com/

Read more

Monday, 4 January 2016

It’s 2016 already, how are websites still screwing up these user experiences?!

Monday, 4 January 2016

We’re a few days into the new year and I’m sick of it already. This is fundamental web usability 101 stuff that plagues us all and makes our online life that much more painful than it needs to be. None of these practices – none of them – is ever met with “Oh how nice, this site is doing that thing”. Every one of these is absolutely driving the web into a dismal abyss of frustration and much ranting by all.

And before anyone retorts with “Oh you can just install this do-whacky plugin which rewrites the page or changes the behaviour”, no, that’s entirely not the point. Not only does it not solve a bunch of the problems, it shouldn’t damn well have to! How about we all just agree to stop making the web a less enjoyable place and not do these things from the outset?

Allow me to totally lose my cool for a bit and tell you just what’s wrong with the web today:

Tags:

Read more

Thursday, 31 December 2015

2015 retrospective

Thursday, 31 December 2015

I don’t normally do the year in review thing, but then I don’t normally have a year like this either. Whilst it may not seem like it to the casual observer, life changed in so many significant ways in 2015, more so than any time in probably the last 15.

The other day I was having a spin back through my tweets with media and I realised just how nuts things had been, so I thought I might capture a bunch of them here as they really tell the story. This is as much for me to reflect on the year as it is for other people to see what I’ve been up to; I hope you find it interesting.

Speaking at Ignite 2015

Read more

Tuesday, 29 December 2015

No, you can’t join my wifi network

Tuesday, 29 December 2015

I’ve had a couple of experiences recently where guests have come to stay and then requested to jump on my wifi. In each case, I’ve declined and in turn they have expressed some degree of shock and outrage. Because it will happen again and because I don’t want upset guests staying in my house, allow me to articulate clearly and objectively why my network is off limits and why perhaps you too want to think twice about allowing access to yours.

Read more