Saturday, April 19, 2014

ICICI Bank - Authentication Bypass Vulnerability

Source: http://gadgets.ndtv.com/internet/news/your-icici-statement-can-be-accessed-online-by-anyone-510296

Consider this my opinion on the latest vulnerability discovered in ICICI's Internet Banking portal that allows anybody to read your bank statement without logging in to your account. Yeah, you read that right, "without" logging in...

OK, A friend of mine pointed out this vulnerability to me... Initially my impression was well it must be another SQL injection as I have always been skeptical about the level of security on the Internet provided by private & public banks.

Bug: Authentication Bypass + Direct Insecure Object Reference

Discovered by: Ayush Ghosh, BookMyShow

Disclosed by NDTV to ICICI Bank because the bank didn't bother checking that researcher's email as usual. So much for having those abuse / info e-mail addresses on their website. The banks must start to consider working on a middle-ground with security researchers.

Initially the vulnerability seems innocuous but, when you factor in that a vulnerability like this could lead to money being stolen or could lead to internet fraud. Imagine 20 lakhs get stolen from your bank account straight up by a guy who cons you with an internet scam. Then try to look at this vulnerability in this new light with your money on the table... Scary? Yeah I thought so! ;)
New Delhi-based cyber-security consultant Dominic K. spoke to NDTV Gadgets and discussed the multiple layers of security that banks have in place, which include multi-factor authentication, encryption, secure connectivity - SSL and HTTPS and identity management systems. He added, "We have not heard of any serious attacks that were successful. These are industry practices that meet global standards."
SSL - Broken many times
HTTPS - Broken - Can be stripped and/or hijacked
Certificates can be spoofed and/or stolen

How multi-factor authentication or secure connectivity will help when there's no user logged in?
Authentication is the mechanism where a user logs-in to confirm the his / her identity on the bank's website. This is usually achieved with parameters such as Debit card no, Account no, Debit card PIN or Username / Password issued for Internet banking. The authentication mechanism is NOT part of this vulnerability so, all those global standards don't matter in this case.

Our high school teachers have spoiled us by with an example for every damn thing in the world.

Example: A Grifter with very little computer knowledge can write an e-mail with your name (first name, last name), bank account information, your bank balance and a 'mistake' he noticed (a reason to click). Since the dawn of graphical user computing we have always been clicking, you can't get anything done without clicking. You click more than you type and that is a fact, you clicked on this damn page... infact... :D

Mr.Grifter can then systematically make you execute javascript and steal your cookies, pun intended! Cookies here equate to money, but that's just for people who care. If that grifter is savvy and smart, he just might hack your browser and make your life hell. The people who want to sit at home feeling safe, well... good luck, security has always been an illusion.

The original article can be found here

Cheers!

Saturday, April 12, 2014

OpenSSL Heartbleed Vulnerability

Myself and Digi from Crimemachine have whipped up a document to educate the public about this recent vulnerability. With all the information and buzz surrounding this vulnerability, comes a lot of confusion too... We provide this information with the standard disclaimer, this information is for educational purposes only.

Download the Heartbleed - Information Packet (Google Drive)


 You will be responsible for your own actions. Use the information sensibly.

Official Website: http://www.heartbleed.com 
OpenSSL Advisory: http://www.openssl.org/news/secadv_20140407.txt

Update: A simple shell script for those of you who are dabbling with the code,
root@crimemachine:~# while true;do ./heartbleed.py 192.168.220.133 -p 443;sleep2;done >> /tmp/heartbleed.log
You can iterate the loop and record login credentials when a user logs in to the site/server.

Cheers,
Kish

Wednesday, March 12, 2014

Talk to the real hackers...

In today's scenario, Every body is a penetration tester... :D
All the "me too" security providers, "engineer" pen-testers, one stop shops and yuppies are going to be mad at me now... An artist should rather let his work speak, if you want to see me in action, call me!

Cheers,
Kish

Thursday, November 21, 2013

ZKSoftware ZEM500 Authentication Bypass


############################################
# ZKSoftware ZEM500 RFID Card Reader
# Date: 22.11.2013
# Vuln: Authentication bypass / Abuse of Access
###########################################

In a world which relies on technology heavily, the use of software and/or hardware to track people at office / work isn't new. It is actually quite old and a lot of systems are vulnerable. This is just my observation of ZEM500 hardware on a limited scope of attack.

Typical connectivity diagram from the ZEM500 Hardware to the network...


ZEM500 by ZKSoftware (Sold by ESSL India) is a biometric fingerprint cum smart card system to authenticate and maintain user attendance in corporate offices. The authentication (employee name, employee password) is encoded in a smart card like any other system. The ZEM500 runs a Linux kernel 2.4x. The device runs busybox linux and its based on fingerprinting.

Port Scan of the ZEM 500,















Telnet to ZEM 500,













Malformed packet for ZEM500 using Scapy,














Observing the traffic with Wireshark was not amusing and revealed employee login / log out details... For obvious reasons of confidentiality and safety, I won't post it online!

eSSL Time Track - Hardcoded Password,











Apart from the above mentioned authentication bypass, you can download a copy at www.esslindia.com/install/eTimeTrack.zip  to manage the software like a normal administrator would. eSSL resells the hardware in India. The management software has a hardcoded password for Windows and SQL Authentication. Weak Encryption, anyone?

Default install includes SQL Express for the management software. The software can be used to manage, maintain and fetch reports from the system.

The ZEM500 has WiFi capability and I never hooked my system to the firewire... Food for thought? ;))

Cheers,
Kish

Thursday, February 28, 2013

Survey - Selling Security


Following is a survey conducted by me on 3 simple questions which a lot of security professionals may have seen, heard and answered in the course of their career. These three questions are simple, but cover the basic questions any client may ask frequently,

Question1: How much would you charge for a pen-test for a 500 user base? (involving Desktops & Servers). Scope of work is to conduct VA, PT and a Social Engineering exercise. Is Rs.20,000 a realistic number for the said scope?
A) Auditor X - Done generally to reduce price or show their objection (price/budget). There's all kinds of people who do these tests, For example, I've heard about people pricing a 50 server assessment for Rs.10,000 (with PoC Exploits). I have seen reports being copy / pasted from the scanner without any change for a lot of engagements.
B) Sec Consultant - The price has to be more, but preferably in double digits, not in lakhs!
C) Big4 Consultant - Practically not possible to price a pen-test of this magnitude at the client's budget
(Minimum 10 lakhs for the engagement would be my quote)
D) Customer X - 1.5 to 2 lakhs will be a realistic budget, Unrealistic to ask for 20K
E) Trainer X - Approximate number would be upwards of 1 lakh, I don't know what would be a realistic number.
F) Former Dev X - Definitely wouldn't do it for 20,000. Regardless of the tools used the skill set I've learnt over years, that's what demands pay.

Question2: Is it fair to compare a consultant's time, skill and experience with tool(s) license cost?
A) Auditor X - Obviously the tool's cost is cheaper, why do they need the consultant in this case?
B) Sec Consultant - Need for a mix of both things (tools and consultant's skillset)
C) Big4 Consultant - 10 lakhs minimum - 20,000 is not possible, manual effort, interpretation of vulns and skill involved is the differentiator.
D) Customer X - Based on the frequency, I will choose whether or not to hire... IF Quarterly or frequent tests (say 12) are warranted then I'll train in house personnel for the requirement.
E) Trainer X - Anybody can run a tool, but without properly understanding the vulns and what happens behind the scenes, the test results can't be interpreted properly.
F) Former Dev X - No it doesn't justify the argument, I wouldn't just rely on a guy who doesn't know security. 

Question3: Do Certification(s) like CEH, CPTS and a couple more enable you to carry out a penetration test?
A) Auditor X - People can't run tools properly, let alone conduct a proper test. You'll be shocked by the things I've heard about CEH and how it (CEH Training/Cert) can be procured for 15K inclusive of exam voucher.
B) Sec Consultant - Yes... but depends more on the foundation and creative ability...
C) Big4 Consultant - Certifications are theoretical, cover only basics of tools, do not impart practical knowledge.
D) Customer X - Real time experience and fundamentals are necessary... just certifications won't help in conducting a penetration test.
E) Trainer X - Absolutely not possible to perform a test in live environment.
Content provided in certification is theoretical and not a real indicator of skill.
MNCs may buy the argument, but even they conduct interviews to assess the credibility and skill set of a candidate.
F) Former Dev X - Honestly certifications are to "basically convince prospective employers and yourself" that you know something that you don't. Haha! The certification's content just scratches the surface of what's possible.

Participants of the Survey:
Auditor X - Infosec Auditor with over 5 years of experience, which includes areas such as VA, PT, Auditing, Operational Risk, Business Continuity
Sec consultant - Over 10 years of experience in GRC, Vulnerability Assessment, Pen-Testing
Big4 Consultant - Security analyst with 3 years experience in Web - Vulnerability Assessment, Pen-Testing
Customer X - Works as a manager for a manufacturing giant, over 8 years of experience.
Trainer X - Works as a trainer on mostly Windows, Networking and Security based topics.
Former Dev X - A former developer working for an MNC, With exposure towards Programming.
Former Dev X is also an experienced hacker, who currently performs all kinds of pen-tests and source code reviews (which he finds boring) ;)

The opinions are interesting when you read each person's - background, point of view, experience and current work profile. Based on general consensus, we have opted to make your identities anonymous; we respect your privacy... Thanks for taking the time to answer the questions politely...

Personal thanks to all the participants, interacting with y’all was fun!

Cheers,
Kish

Update: Found an > old bookmark < certainly worth a laugh... ;)

Thursday, December 27, 2012

GoogleTalk Disconnect Issue (Notes)

GoogleTalk Disconnect - Workaround
URL: hxxp://talk.google.com

if your gtalk disconnects OFTEN

that's because your client / browser establishes a tunnel to localhost
127.x.x.x

if you can change that goddamn proxy to a proper setting or a port fwd

it doesn't disconnect at all
i got so pissed today to check out off all the days... i've been using talk...
netstat -t
netstat -n
netstat -ban
all those commands showed this idea of google-talk tunneling to my localhost

two things to note, this doesn't apply for mobile and browser based chat (chatenabled.google.com)
just for gtalk client, browser based chat connects through 5222 / 52xx mostly...

too bad google talk doesn't provide a "No proxy" option... It makes sense to add the feature ASAP...

Wednesday, December 05, 2012

Homeshop18 - Top 10 Indian Website?

Shouts to the websites that provide ranking for e-Commerce websites in India ;))

Additional shouts to people who tell me, how their "website security" budget is cramped, but they can do endless meetings, interviews and documentation work for compliance, year on year! :)

#############################################
# Website: www.homeshop18.com
# Date: 05.12.2012
# Bug: Cookie Manipulation / Bad authentication
############################################

Trust me when I say your website is the most visible and targetted asset in your whole infrastructure. It represents your brand image and everything your company stands for on the Internet. One mistake like this can cost a business - customers and sales...

Homeshop18 website suffers a few vulnerabilities namely path disclosure & user authentication cookies being insecure... If the cookies can be manipulated on the client side a user's data can be compromised which will lead to a security incident...

Kindly make amends and work on fixing the vulnerability within 48 hours, this information has been released with public awareness & safety in mind.

Cheers,
Kish