ZKSoftware ZEM500 Authentication Bypass

############################################
# ZKSoftware ZEM500 RFID Card Reader
# Date: 22.11.2013
# Vuln: Authentication bypass / Abuse of Access
###########################################

In a world which relies on technology heavily, the use of software and/or hardware to track people at office / work isn't new. It is actually quite old and a lot of systems are vulnerable. This is just my observation of ZEM500 hardware on a limited scope of attack.

Typical connectivity diagram from the ZEM500 Hardware to the network...

ZEM500 by ZKSoftware (Sold by ESSL India) is a biometric fingerprint cum smart card system to authenticate and maintain user attendance in corporate offices. The authentication (employee name, employee password) is encoded in a smart card like any other system. The ZEM500 runs a Linux kernel 2.4x. The device runs busybox linux and its based on fingerprinting.

Port Scan of the ZEM 500,

Telnet to ZEM 500,

Malformed packet for ZEM500 using Scapy,

Observing the traffic with Wireshark was not amusing and revealed employee login / log out details... For obvious reasons of confidentiality and safety, I won't post it online!

eSSL Time Track - Hardcoded Password,

Apart from the above mentioned authentication bypass, you can download a copy at www.esslindia.com/install/eTimeTrack.zip  to manage the software like a normal administrator would. eSSL resells the hardware in India. The management software has a hardcoded password for Windows and SQL Authentication. Weak Encryption, anyone?

Default install includes SQL Express for the management software. The software can be used to manage, maintain and fetch reports from the system.

The ZEM500 has WiFi capability and I never hooked my system to the firewire... Food for thought? ;))

Cheers,
Kish

Survey - Selling Security

Following is a survey conducted by me on 3 simple questions which a lot of security professionals may have seen, heard and answered in the course of their career. These three questions are simple, but cover the basic questions any client may ask frequently,

Question1: How much would you charge for a pen-test for a 500 user base? (involving Desktops & Servers). Scope of work is to conduct VA, PT and a Social Engineering exercise. Is Rs.20,000 a realistic number for the said scope?

A) Auditor X - Done generally to reduce price or show their objection (price/budget). There's all kinds of people who do these tests, For example, I've heard about people pricing a 50 server assessment for Rs.10,000 (with PoC Exploits). I have seen reports being copy / pasted from the scanner without any change for a lot of engagements.

B) Sec Consultant - The price has to be more, but preferably in double digits, not in lakhs!

C) Big4 Consultant - Practically not possible to price a pen-test of this magnitude at the client's budget

(Minimum 10 lakhs for the engagement would be my quote)

D) Customer X - 1.5 to 2 lakhs will be a realistic budget, Unrealistic to ask for 20K

E) Trainer X - Approximate number would be upwards of 1 lakh, I don't know what would be a realistic number.

F) Former Dev X - Definitely wouldn't do it for 20,000. Regardless of the tools used the skill set I've learnt over years, that's what demands pay.

Question2: Is it fair to compare a consultant's time, skill and experience with tool(s) license cost?

A) Auditor X - Obviously the tool's cost is cheaper, why do they need the consultant in this case?

B) Sec Consultant - Need for a mix of both things (tools and consultant's skillset)

C) Big4 Consultant - 10 lakhs minimum - 20,000 is not possible, manual effort, interpretation of vulns and skill involved is the differentiator.

D) Customer X - Based on the frequency, I will choose whether or not to hire... IF Quarterly or frequent tests (say 12) are warranted then I'll train in house personnel for the requirement.

E) Trainer X - Anybody can run a tool, but without properly understanding the vulns and what happens behind the scenes, the test results can't be interpreted properly.

F) Former Dev X - No it doesn't justify the argument, I wouldn't just rely on a guy who doesn't know security. 

Question3: Do Certification(s) like CEH, CPTS and a couple more enable you to carry out a penetration test?

A) Auditor X - People can't run tools properly, let alone conduct a proper test. You'll be shocked by the things I've heard about CEH and how it (CEH Training/Cert) can be procured for 15K inclusive of exam voucher.

B) Sec Consultant - Yes... but depends more on the foundation and creative ability...

C) Big4 Consultant - Certifications are theoretical, cover only basics of tools, do not impart practical knowledge.

D) Customer X - Real time experience and fundamentals are necessary... just certifications won't help in conducting a penetration test.

E) Trainer X - Absolutely not possible to perform a test in live environment.

Content provided in certification is theoretical and not a real indicator of skill.

MNCs may buy the argument, but even they conduct interviews to assess the credibility and skill set of a candidate.

F) Former Dev X - Honestly certifications are to "basically convince prospective employers and yourself" that you know something that you don't. Haha! The certification's content just scratches the surface of what's possible.

Participants of the Survey:

Auditor X - Infosec Auditor with over 5 years of experience, which includes areas such as VA, PT, Auditing, Operational Risk, Business Continuity

Sec consultant - Over 10 years of experience in GRC, Vulnerability Assessment, Pen-Testing

Big4 Consultant - Security analyst with 3 years experience in Web - Vulnerability Assessment, Pen-Testing

Customer X - Works as a manager for a manufacturing giant, over 8 years of experience.

Trainer X - Works as a trainer on mostly Windows, Networking and Security based topics.

Former Dev X - A former developer working for an MNC, With exposure towards Programming.

Former Dev X is also an experienced hacker, who currently performs all kinds of pen-tests and source code reviews (which he finds boring) ;)

The opinions are interesting when you read each person's - background, point of view, experience and current work profile. Based on general consensus, we have opted to make your identities anonymous; we respect your privacy... Thanks for taking the time to answer the questions politely...

Personal thanks to all the participants, interacting with y’all was fun!

Cheers,

Kish

Update: Found an > old bookmark < certainly worth a laugh... ;)

GoogleTalk Disconnect Issue (Notes)

GoogleTalk Disconnect - Workaround
URL: hxxp://talk.google.com

if your gtalk disconnects OFTEN

that's because your client / browser establishes a tunnel to localhost
127.x.x.x

if you can change that goddamn proxy to a proper setting or a port fwd

it doesn't disconnect at all
i got so pissed today to check out off all the days... i've been using talk...
netstat -t
netstat -n
netstat -ban
all those commands showed this idea of google-talk tunneling to my localhost

two things to note, this doesn't apply for mobile and browser based chat (chatenabled.google.com)
just for gtalk client, browser based chat connects through 5222 / 52xx mostly...

too bad google talk doesn't provide a "No proxy" option... It makes sense to add the feature ASAP...

Homeshop18 - Top 10 Indian Website?

Shouts to the websites that provide ranking for e-Commerce websites in India ;))

Additional shouts to people who tell me, how their "website security" budget is cramped, but they can do endless meetings, interviews and documentation work for compliance, year on year! :)

#############################################
# Website: www.homeshop18.com
# Date: 05.12.2012
# Bug: Cookie Manipulation / Bad authentication
############################################

Trust me when I say your website is the most visible and targetted asset in your whole infrastructure. It represents your brand image and everything your company stands for on the Internet. One mistake like this can cost a business - customers and sales...

Homeshop18 website suffers a few vulnerabilities namely path disclosure & user authentication cookies being insecure... If the cookies can be manipulated on the client side a user's data can be compromised which will lead to a security incident...

Kindly make amends and work on fixing the vulnerability within 48 hours, this information has been released with public awareness & safety in mind.

Cheers,
Kish

iPod not for common man !

Apparently the iPod manufactured by Apple is not for a common man... The more restrictions, the more twisted and the more ironic the sales reps and customer service behaves these days... Apple has become a bloody pain in the rear to deal with...

Take their iPad for instance, you do a 101 pointless things to get two files across... through their royal useless iTunes software - which must be updated all the time. Take Samsung Note or Galaxy for example, you have so many useful apps, a lot of flexibility with the Android OS and accessing files and transferring the same in High Def are a breeze...

Most irritating part of this whole shindig is when Apple decides, India is not there in their "universe" !

Fuck you, Apple for not including India / Asia in the list

Considering that Asia is the biggest continent in the world, with important electric / electronic players like Japan, China and India... Why do they need a separate website? What's more? Their product fails epically, cosmically, at all levels... from their promise to "hidden costs" to "service and support" BS... To top it off, they don't provide open service in India!

iTunes is king, really? A piece of shit called iTunes - which fails at what it is supposed to do - sync, delete, manage and restore - basically, enable smooth functioning of the device - I conclude Apple's useless products are not for every man, a common man, most certainly not for a hacker... You like flexibility? You want to hack a device? You want to play with all the features?

You better look away from Apple, unless you want to give your hard earned cash for a worthless list of shiny products. There's a whole list of products in terms of smart phones, tablets and mp3 players...

As the guy, who's spent money on 5 iPods (of all sizes and shapes) in 3 years and dumped all of them in 6 to 8 months each... I say, Fuck You Apple for making bad products and selling them!

How I got back a returning customer

Background

A little background information for you folks... who don't understand what I do... I expose the ways in which your network, server, host, web application, website or any other system maybe vulnerable to real attacks. We are not talking about some obscure bug that can't be exploited. We are talking about DNS here...

Now DNS is not exactly rocket science, right? You think so? The customer whom I spoke to doesn't really concur with me on that point. He thinks it is rocket science, since he does not have enough technical knowledge to figure it out. I give him a demonstration of how to tunnel SSH over DNS (Ozyman) and SSH over HTTP :))

Show time (DNS Tunneling)

Once I do that, his auditor freaks out and tells me how I am doing bad things. What is my job again? I expose vulnerabilities and real threats to the customer, I don't perform simple scans and tell the customer to patch some bug without taking business productivity and impact in to consideration. In layman terms, tunneling a protocol over another like discussed above can cause the network to think SSH is just DNS traffic. Truth is some rogue hacker may get a reverse shell running through that port and hide in plain sight.

The customer and his new found "auditor" (read: CISSP / CISA holder, with no grasp of protocols). I had to show documentation, research and a tool. To top it off, I showed a live demo and used Wireshark to show the DNS traffic. I did my job and I did it so well, that the customer becomes scared, confused and everything else, but convinced. The customer does not want to understand the impact, or go with a quality security tester like me.

My mistake

I told them, I will test the environment without any bias and will not support their certification (compliance) efforts, if they fail to co-operate and patch all the important vulnerabilities. This causes a real stir and the next time, the customer (who happened to be a return customer - more than 4 engagements)... fails to choose ME for the 5th time.

Business 101

Guess why they didn't want me? I argued and I failed to co-operate with them for their namesake compliance... OK, from a business point of view I totally understand their hatred towards me. There's an old saying in sales, If You Win the Argument, You Lose the Sale (The auditor played a good part in convincing them, that I am not the right person for the job). When it comes to security and technical aspects, I put my money where my mouth was... and showed them a real demonstration.

Better Late Than Never

What did I learn? Be co-operative... or lose the sale. I'd rather have it my way or the highway... and a customer who can not appreciate quality is always going to end up in my bad books. I am a person that believes in quality over everything else.

What did they learn? The customer's network got hacked exactly 90 days, after they achieved compliance. The customer didn't hesitate to call me. The manager at their firm said some thing I am very proud of... He said, "We are calling you because you scared us just like that hacker..."

For a few dollars more
After the post mortem and forensic analysis, I helped them to set up an incident response plan. The customer now engages me for security testing and over all maintenance of their network. I have gained a returning customer, after losing them once. Selling is all about second chances ;))

P.S: This is NOT the First Time, I am getting a call from a customer that disagreed with me and got hacked!

Cheers,
Kish

Wow, Goodbye Steve?

Is it that time of the century for an inventor to be gone? Gee, that sucks... Goodbye Steve :(

Steve is an inspiration at best and he braved - being born to unmarried parents, thrown to be adopted by his mother... Then he drops out of college, founder of apple, founder of pixar, rejoins apple - a revolution happens with iPhone, iPad, iPod and owning an Apple product doesn't make you exclusive anymore, they've turned from being a niche company to a mainstream company with nearly $350 Billion USD in stocks... The only company that makes more money than Apple is Exxon Mobil and they do it from oil, not from ideas !

R.I.P Steve, also R.I.P A.C Nielsen... Peace !

iQuit... Steve job quits apple, what again?

I have stopped counting the number of times, he's quit and come back to Apple...

Really would be a relief, if he let M$ stay on top and generate serious revenue compared to Apple. Personally, I'd like to see iPhone and a lot of i Apps / i Hardware(s) to stop... The world becomes restricted to bullshit software provided by apple... and their updates, well you've got to pay for it? WTF?

A lot of apple fans are pissed because the software, drm and whole pay for your updates BS - what if, they introduce bugs just to push more updates... That is not happening now, but some thing like that isn't impossible... ;)

It would be ironic to have such ridiculous stuff going on, amidst their already high number of vulnerabilities. iHate - Apple... All that aside, Steve Jobs is a great guy (business strategy, promotion, ideas and inspiring), Good luck to him !

Love Letters...

I just love this, love this mail, especially the part about monies... hahaha !



Thank you for the Love letters :D

Note: Top 5 Database Breaches in 2011

1. Victim: HBGary Federal
Assets Stolen/Affected: 60,000 confidential emails, executive social media accounts, and customer information.

2. Victim: RSA
Assets Stolen/Affected: Proprietary information about RSA's SecurID authentication tokens.

3. Victim: Epsilon
Assets Stolen: E-mail databases from 2 percent of the firm's 2,500 corporate clients.

4. Victim: Sony
Assets Stolen: More than 100 million customer account details and 12 million unencrypted credit card numbers.

5. Victim: Texas Comptroller's Office
Assets Stolen: The names, Social Security numbers, and mailing addresses of 3.5 million individuals, plus dates of birth and driver's license numbers of some.

Note for reference... :D

And you thought online booking is safe

INOX Movies features - A lesson in "designing secure web pages"


Vulnerable URL: hxxp://www.inoxmovies.com/seatlayout.aspx

Incase you don't understand what will be the bug, it will be a SQL Injection!

INOX Movies is "Safe"... Come on, it uses "http"... it's unbreakable! :D

APNIC runs out of IPv4 Address

http://www.apnic.net/publications/news/2011/final-8

If you haven't read this announcement, read it and act on IPv6... deployment for your enterprise environment.

Cheers,
Kish

Ignorance is "THE" root of all evil

Example? HBGary's latest pwnage by Anonymous group... Can't understand why they don't maintain good passwords, different passwords for their account, some user awareness and why they can't get pro-active website maintenance and testing. They have so much capital and as the last line in the JPG says... "not expertly secured" ... Epic FAIL.



BTW, I had and still have respect for Greg Hoglund from HBGary. All in all, they lost clients and will have bad PR for the next month or so... please work on your security "before" you get hacked.

For all the guys, who insist on "no DoS, no stress testing, no client side testing and no social engineering" - [04:18] <&Sabu> greg, a 16 year old girl social engineered your admin jussi and got root to rootkit.com

Yes, that's straight from a IRC chat log involving Greg(HBGary), Penny (HBGary) and the anonymous group... I read the full log for the LOLs :D

Peace !

Back... To Security Testing

After a recent flood of investigative, forensic and legal support requests... We are back ON-Track to security testing... Always great to have the 'hacker' tag :D

I certainly appreciate my clients who entrusted their resources to me for investigations and forensic work, but nothing like our bread-and-butter, haha.

The headlines from ArsTechnica read "MSE 2.0 arrives with heuristic scanning, network traffic inspection" & "December 2010 Patch Tuesday will come with most bulletins ever"... and ZDNet's headlines include "Microsoft delivers patches for IE, font driver; Puts Stuxnet to bed" & "Apple plugs 15 gaping security holes in QuickTime"

Some surprise that MSE 2.0 has been successful, because it was released earlier for as a pilot - and failed in 1.0 before they learned their lessons and launched 2.0 ;)

Same surprise about Windows Patch Tuesday - I love MS, they help us survive and stay in business... No Wonder, with tools like Metasploit and CANVAS around :D

Stuxnet has been put to bed and that is indeed good news...

We are going to have a blast, 3 pen-tests already lined up :))

UIDAI Scheme - Or - Compromising my privacy?

What we know / heard from a few sources?

Basic Information:
The UID itself will collect only standard attributes such as name, date of birth, gender, father/mother/spouse/guardians name, address and a photograph. The only unique information is the biometrics (10 fingerprints and both IRIS scans).

Who / Why / Usage
The UID will be given to all residents who are in India and avail services and not just citizens.

The information in the database will be used only for authentication purposes and will not be shared or transmitted. Anyone seeking to authenticate the identity of another person using the UID database – will only get a response in YES or NO.

About working / operations:
The UIDAI is working on a partnership model with a variety of agencies and service providers ( both government and private sector) to enroll residents for UID Numbers and verify their identity. For e.g. Insurance companies, LPG marketing companies, RSBY, MG-NREGA etc. The UIDAI will also engage with Outreach Groups (essentially CSOs) to target, the homeless, urban poor, tribals, differently-abled population of the country etc.

About security:
The UID database will be guarded both physically and electronically by a few select individuals with high clearance. It will not be available even for many members of the UID staff and will be secured through encryption, and in a highly secure data vault.

Is your security up to the mark ? What is that secure data vault thing? Please don't use such terms, a layman maybe fooled into thinking "ultra secure" when in reality, you're storing it in the most haphazard manner.

Why do they (government) want a person's mother's name, father's name, and their respective UID numbers ?



Check this out ... the picture shows what info they are going to collect for the card. Add the present/permanent address thing to this mix, you can have one of our residing addresses, you are the government, you either choose permanent or present address, because parting with "everything" or too much of my private information to you - from me, a hacker's perspective... looks like asking to be stabbed !

All I'm saying is ... basically, devil knows who's got access to this DB once it is implemented. That's not all, they do say there may be an option for a person to escape their identity theft mechanisms and create a completely false identity and obtain a UID, d'uh !

Murphy's law folks, if you missed it ... "If anything can go wrong, it will"

Security Model for UIDAI Scheme



Always be prepared for the worst case scenarios, stop deducing cyber crime with just audit trails for a change.

Offences under UIDAI Act - Check out the screenshot



Addition about the IT Act 2000, and consequences if you compromise their DB,"All offences under the Information Technology Act shall be deemed to be offences under the UIDAI if directed against the UIDAI or its database."

Small FAQ I built for the readers,

Q. How will they (government) manage and secure 1.20 billion people's information ?
A. They wish to encrypt information and store it in a centralized DB...

Q. What security design will be implemented for Server and the Network/Client?
A. We have Firewall, IDS, IPS - alphabet soup basically, and Encryption with PKI.

Oh, my! the traditional defense-in-depth approach - Lauds the government. What about being proactive and conducting tests regularly? (Pen test, code review, DB security, red teaming, and compliance for the supporting infrastructure)

Q. Will my information be secure in the database?
A. Well, it depends... lol !
"The UID database will be susceptible to attacks and leaks at various levels. The UIDAI must have enough teeth to be able to address and deal with these issues effectively."

Q. What will the basic information and biometrics be integrated with?
A. Banks, Ration shop, Income Tax Dept, Passports, Credit Card/Debit Card, Online accounts. Precisely, enough sensitive data will be integrated with so-cal best practices to leave you stabbed from a lot of angles.

People who define security should not use the abbreviation for et-cetera (etc). Define and then write a document, because you are dealing with national security and a billion plus populous here. Don't be so naive and clueless by mentioning stuff like "Network, Client Security – Encryption, PKI etc"

From the looks of it, The way in which the government is dealing with our information is haphazard, to say the least.

Cheers,
Kish

Xchanging URLs now ;))

The vulnerable page is still there, and there is no fix... but hey, the web developers sure learned to redirect the vulnerable page to home.html... ironic ;))



Web development and Security @ Xchanging - EPIC FAIL... sorry folks... Try harder next time... If you want to contact me for a penetration test, here's my mail: kishfellow at yahoo dot com

Cheers,
Kish

Xchanging SQL Injections with you...

Xchanging - Xchanging plc (LSE: XCH) is a business processing company, with a wide range of multinational customers in 42 countries and employing over 8,000 people worldwide. It is listed on the London Stock Exchange and is in the FTSE 250 Index. Xchanging is also a member of the FTSE4Good index.

They have a potential SQL injection here, well... someone needs a pen-test?
http://selfservice.xchanging.com/serviceportal/default.aspx?offset=

Cheers,
Kish

Linux migration SNAFU

Disclaimer: The author is not against windows, the author is not against linux, the author is against "stupid" practices and communication gap while migrating from one OS to another. The author is an ardent Linux and BSD Fan, and supports FOSS/OSS movements.

The inspiration for this post comes from a REAL company whose employees were not so happy and almost resigned their posts owing to a bad migration.

Here is a story of a simple Linux migration gone-all-wrong.

The last thing any employee wants at the office on Monday morning is to turn on their workstation to find Linux instead of their beloved Windows operating system.

How NOT TO MIGRATE from Windows to Linux
- For Lower TCO, access to source code,
- For Economic benefit, Ethical Benefit,
- For Access to Source code,
- For whatever-else-you-deem-fit to trigger a migration

You certainly have to communicate to your employee formally - written as a memo circulated throughout the ranks, or a simple e-mail to all employees notifying the change.

Analysis : Why it went wrong ?
Things that made this particular migration go wrong...
1) The employees were not informed prior to the migration
2) Backup was not in place, only last minute backup was available
3) There was no Linux101, Command Line usage or any induction towards the new operating system at their disposal.
4) No clear planning, and deployment - Old versions of Ubuntu were deployed.
5) There was no consultant or subject matter expert to assist the migration.

How TO MIGRATE from Windows to Linux
- Prior to the transition from one OS to another - inform your employees formally
- Get them involved in the planning and ask for their views & suggestions
- After giving the heads-up, arrange for a backup (through System Administrator)
- To make the transition smooth decide who needs a Linux desktop and how many Windows systems can be retained (to reduce training budget)
- Choose a Linux distribution based on - User competence, prior experience, and business goal (why linux?)
- Engage an external consultant or subject matter expert
- Plan the switch with software used currently and alternate software available for linux
HINT: ptth://www.osalt.com
- Deploy a test bed and introduce the operating system functionality
- Arrange for a formal induction (hands-on) with the consultant
- Clarify doubts and exchange ideas, get tips and tricks and further reading
- Arrange for a dinner (makes employees happy to eat and learn, than just learning)
- Use linux philosophy from time to time - for motivation, increasing productivity, and squeezing employees to the max, hehe !

"The only thing worse than training good employees and losing them is NOT training your employees and keeping them."
- Zig ziglar

Point to be taken from this post: Next time you migrate to any linux distribution, make sure you Communicate the change, engage a subject matter expert, plan, test, and then deploy.

Cheers,
Kish

PS: We offer Linux migration services, and Open Source consulting of the best quality at very nominal pricing. Contact me for more information.

U Socket - USB Charging directly from plug points

Quoting from their website,
"U-Socket is a duplex AC receptacle with built-in USB ports that can power any device that is capable of being charged via a 5V power adapter, but without the need for the power adapter! When a U-Socket replaces a traditional 3-prong AC wall socket, you can eliminate the clutter of AC Adapters that stick out & take up space in your home or office. Everything stays neat & organized. In additional, U-Socket's energy efficient design only outputs power through the USB port if something is connected to it. This can save you up to $25 per year in reduced energy costs. Good for you, good for the environment and with our great prices, good for your wallet too!"



Neat little addition to your desk to charge your devices like iPad or mp3 players :)

For more information, click here

Cheers,
Kish

No pun intended

Pen tester1: I have have very less issues related to security compared to my windows laptop
Kish: probably, because people own macs silently ;)
Pen tester1: ...