Tuesday, May 27, 2008

Windows Vista - Easy hack

Hi, this time the people from Offensive-Security.com, bring us an example on how Windows Vista could be hacked in a very easy way, forget exploits, ASLR, DEP, etc.

Just boot with a live CD, move utilman.exe to utilman.old, and copy cmd.exe to utilman.exe.

Then in the login window, just press CTRL-U, and a console with administrative rights will pop up.

It's the same as the old Windows XP Sticky-keys trick.

Video here


Tuesday, May 20, 2008

PCI Requirement 666, sorry 6.6

After all the discussion around the PCI DSS requirement 6.6, on what were the real requirements, we can conclude that from June 30 (2008) there are two options for the web applications requirement:

1- Application Code review, that is subdivided in the following alternatives:

  • Manual review of application source code
  • Proper use of automated source code analyzer (scanning) tools
  • Manual web application security vulnerability assessments
  • Proper use of automated web application security vulnerability assessment (scanning)  tools.
2- Web application Firewall

I think that we should have both options implemented, there are not exclusive and implementing just the Manual web application as Code Review would not assure the security of the application, because maybe between the discovery of the vulnerabilities and the patching/correcting/solving phase will pass some time that the application will be exposed, also new vulnerabilities introduced after the Manual Web Application Assessment, will put in jeopardy the security of the application.

Another interesting point is the alternative 4 of the option 1 "Proper use of automated web application security vulnerability assessment tool", what is considered "Proper" ?   I imagine a lot of "tool monkeys" launching automatic scanners, printing the tool report and justifying requirement 6.6 for two pennies, and then you will have to explain to your customer why your service is more expensive than the other.... 

It's always the same :(

More to come on this issue,

Metagoofil 1.4 - Metadata exposed

Hi this time i will post a brief entry about the new version of Metagoofil released some
 days ago.

In this version (1.4) i added a new feature that will extract the MAC address from 
the office documents, yes you read right :)  the MAC ADDRESS. 

We can find this information inside the documents in a string like this:

_PID_ GUID ... {F96EB3B9-C9F1-11D2-95EB-0060089BB2DA}

The last 12 hex digits are your MAC!

So here we have another piece of information that can be used to track an user, and most of them 
don't know it's existence :(

The next version of Metagoofil it will possibly  map the MAC address to the vendor 
name, so we can have more information about a target company.
Download here: MetaGooFil

Wednesday, May 7, 2008

PhishMe - Phishing awareness

Via Dancho's blog i read a post about a company called PhishMe.com where they offer a service for creating Phishing campaigns to test the awareness level in the different areas of your company by creating targeted emails and websites.

It's not a bad idea, with this you can have a sense of how your company employees deal with phishing scams. What is curious is that interface seems like a real professional Phisher interface, at least it will give ideas to the Phishers on how to organize and present the data of the attacks launched to get an idea of the success rate of the campaign.

Check Phishme.com
Dancho's post

Tuesday, May 6, 2008

Information Security Workforce Study

(ISC)2 bring us the new study about the Information Security Workforce, here you can find a lot of information about our profession for compare your position in different countries, which positions are best paid, etc. As stated in the (ISC)2 website:

"... the Study reflects the opinions of the dynamic information security workforce. It is the largest study of its kind and provides detailed insight into important trends and opportunities within the information security profession. It aims to provide a clear understanding of pay scales, skills gaps, training requirements, corporate hiring practices, security budgets, career progression and corporate attitude toward information security that is of use to companies, hiring managers and information security professionals"

A very interesting reading: Download Study

Monday, May 5, 2008

Book - Zero Day Threat

I finished another book, this time i read "Zero Day Threat" a very interesting investigation about cybercrime, made by two journalist (Byron Acohido and Jon Swartz).

As stated in the cover they show us "The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity"

The book is very well narrated, i liked how they focused the history from 3 different point of view (The Exploiters, the Expediters and the Enablers). The authors made a fantastic job in the investigation and in the accuracy of the information given by the book.

It's a must for anyone who wants to know how the cybercrime is organized and the inner workings of these mafias. You could learn how they steal identities, credit cards, passwords, etc and how they transform all of these in money through laundering tricks.

After reading the book you get a feeling of being totally naked and vulnerable to the cybercrime mafias. I was aware of all the technological issues involving cybercrime, but now i'm aware of the other two pieces in this game and i get the full picture on how everything works.

You can check the site of the book for more information:

Pages: 304

Mysql - SQL Injection

Hi, here are the steps needed to extract data from a Mysql Database through SQL Injection automation. This will be useful for penetration test, when you need to craft your own tool because the ones that are available fails...

Let's get to work, first we need to get the schemas (Databases):

"SELECT table_schema FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema' limit 1,1"

Once we know which database we want to extract data, we proceed to list the tables:

"SELECT table_name FROM information_schema.tables where table_schema = 'MYSCHEMA' limit 1,1"

MYSCHEMA = obtained schema from query 1

Now that we have the tables, we will go for the columns:

"SELECT column_name FROM information_schema.columns WHERE table_schema ="MYSCHEMA" and table_name = 'MYTABLE' Limit 1,1"

MYTABLE = obtained from query 2

And after this process you know the Schema (Database), the tables and the columns, so you can create the query to extract the data you want or think it will be interesting for the penetration test.

Another interesting query for penetration testing, is the one that can create a bruteforce attack
to find which table has a column named X.

"SELECT table_name FROM information_schema.columns WHERE column_name like '%MYWORD%' limit 1,1"

MYWORD= a word taken from a dictionary

Now is all about of putting this together in a script for automation. You can check www.edge-security.com Pblind for a SQL Injector script, the next release will have this feature included.

If you have another idea, please let me know.


Wfuzz 2.2.0 released

I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...