Wow. What an exciting first half of 2012 it’s been! I’d been doing so well with MAKING and producing content for my blog but here lately my professional projects have just taken over nearly every portion of my life! Being a “hacker” isn’t just about being a bull in a china shop, crashing into everything and seeing what breaks. Sometimes, in order to be an effective attacker, we learn how things work and have to gently prod at things until we can find something that helps get us closer to a goal. The projects of late have been exactly that! I’ve been learning some really cool stuff, things I’d never thought I’d be touching. But due to the fact that these are so far outside my comfort zone, it’s been an adventure learning so many different things so quickly! This has eaten into the time I’d hoped to spend on the bike so far but as the weather continues to get nicer, I intend to find ways to change that! In addition to learning some totally new things, I have also been speaking more and more lately. I’ve been honored by several groups such as the Ohio Information Security Forum, the Ohio Society of CPAs, the Midwest Energy Association, and the Auditor of the State of Ohio’s office to speak on a variety of topics ranging from mobile and application security to penetration testing and social engineering. I’ve been fortunate enough to be invited to talk to audiences on SCADA assessments and hardening and fraud detection and prevention.
These projects have been keeping me on my toes and pushing my limits in new ways but it’s an opportunity for personal growth so I’m trying to use it as an opportunity to improve. And while it’s really sad to me that I can’t share much of the detail of what I’m doing, I am hoping that my team is able to do some substantial writing and perhaps building some talks around the work we’ve been doing after it’s over. And until then, I’ll be putting most of my personal projects on the back burner. I am, however, building a projects list page that I will be publishing on my website in hopes that publicizing them will push me to keep producing, and maybe some of you will find something that you want to get involved in- I’m all for collaboration when available. I’m also hoping to get back on a regular writing schedule. I don’t know what will be the best time to do so but the middle of the week was just NOT working.
I hope you’re keeping at it! If you’re not making something what ARE you doing? If you’re taking the time to read this, it’s likely I’m trying to keep up with what you’re doing too- if you’re sharing. Write about it or engage me on twitter.. write on some forums or make a video! It’s sometimes daunting to me to make content, I wonder if anyone reads or if those who DO read care about what I have to say. But at the end of the day I just want to share with those of you who get my grap3y-ness and hopefully learn something from you along the way. Thanks again for reading!
Well most of you know that I have been taking flak from the Brothers about my stock pipes and how quiet they are. Well I was okay with letting good enough suffice until my clutch started giving me fits. Some research indicates a known vulnerability in the clutch springs Suzuki used in the Intruders from 1998-2004. By replacing these with thicker, longer springs, the clutch (supposedly) engages better and improves performance during shifting. Well, since I have to pull the pipes to get to the clutch, I decided it was time to throw some pipes on, which will also require the carbs to be rejetted and tuned.
Thankfully I have a friend who is pretty mechanical and able to help walk me through the process. We pulled the carbs and pipes off, then got the clutch springs replaced all within a few short hours.However, there are some broken bolts to overcome and replace as well as deciding when, where, and how to get the carbs tuned. I found one place online but it seemed a little fishy so I’m still investigating my options. By tuning the carbs to the pipes, not only will the bike sound completely different (and much louder), but will also increase horsepower and gas mileage substantially- can’t be mad at that when gas just jumped to $3.70 a gallon!
So she sits. In someone else’s garage while I make decisions and get the carbs adjusted properly. I hope that the “right decision” smacks me in the face sooner than later because we have had some absolutely stellar weather around here for a winter! I would love to get in the wind and I have some travel that is supposed to be happening soon that I don’t want to let pass by!
If you’re riding, enjoy it. If your Iron Horse is down, treat her right and do a thorough job of getting her back on the road. A bike is much like a woman- if you treat her well then she’ll undoubtedly reciprocate, but if mama aint happy, aint NOBODY happy!
After a great response to my CSRF demo and explanation, I wanted to follow up and offer the exploit code that can be launched against the targeted application. The idea here is hopefully we have thoroughly explained the exploit and how the attacker is piggybacking on the user’s existing session credentials to carry out their nefarious actions.
As with any exploit, this is not to be abused. This is posted for educational purposes only and is intended for people to learn how the attacks happen and what we can do to prevent victims from falling prey in the wild. The fact is that more people are taking tech in their own hands means there are more opportunities for attackers to take advantage of the weaknesses. The more we educate ourselves, the more we can educate others.
Cross-site request forgery, also known as a “one-click attack”, “session riding”, or “confused deputy attack”, and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser. Because it is carried out in the browser (from the user’s IP address), this attack method becomes quite difficult to log. A successful CSRF attack is carried out when an attacker entices a user to “click the dancing gnome” which does some dirty gnom-ish v00d00 magic (no offence to any gnomes in the readership) on another site where the user is, or has recently been, authenticated.
As we’ll see in our video example, by tricking a user into clicking on a link in, we are able to create a new administrator user which allows us to log in at will and further our attack.
That doesn’t sound so bad…
What? Is this more FUD?
According to the United States Department Of Homeland Security the most dangerous CSRF vulnerability ranks in at the 909th most dangerous software bug ever found, making this vulnerability more dangerous than most buffer overflows. Other severity metrics have been issued for CSRF vulnerabilities that result in remote code execution with root privileges as well as a vulnerability that can compromise a root certificate, which will completely undermine a public key infrastructure. If that’s not enough, while typically described as a static type of attack, CSRF can also be dynamically constructed as part of a payload for a cross-site scripting attack, a method seen used by the Samy worm. These attacks can also be constructed on the fly from session information leaked via offsite content and sent to a target as a malicious URL or leveraged via session fixation or other vulnerabilities, just to name a few of the creative ways to launch this attac. Some other extremely useful and creative approaches to this attack have evolved in recent history. In 2009 Nathan Hamiel and Shawn Moyer discussed “Dynamic CSRF”, or using a per-client payload for session-specific forgery at the BlackHat Briefings, and in January 2012 Oren Ofer presented A new vector called “AJAX Hammer” for composing dynamic CSRF attacks at a local OWASP chapter meeting
Ok, so how can I protect myself?
Say it aint so!
If you’re the “average Web user” using unmodified versions of the most popular browsers can do relatively little to prevent cross-site request forgery. Logging out of sites and avoiding their “remember me” features can help to mitigate CSRF risk, in addition to not displaying external images or not clicking links in spam or untrusted e-mails may also help. Browser extensions such as RequestPolicy (for Mozilla Firefox) can prevent CSRF by providing a default-deny policy for cross-site requests. However, this can significantly interfere with the normal operation of many websites. The CsFire extension (also for Firefox) can mitigate the impact of CSRF with less impact on normal browsing, by removing authentication information from cross-site requests.
Web developers, however have a better fighting chance to protect their users by implementing countermeasures such as:
Requiring a secret, user-specific token in all form submissions and side-effect URLs prevents CSRF; the attacker’s site cannot put the right token in its submissions
Requiring the client to provide authentication data in the same HTTP Request used to perform any operation with security implications (money transfer, etc.)
Limiting the lifetime of session cookies
Checking the HTTP Referer header
Ensuring that there is no clientaccesspolicy.xml file granting unintended access to Silverlight controls
Ensuring that there is no crossdomain.xml file granting unintended access to Flash movies
Verifying that the request’s header contains a X-Requested-With. Used by Ruby on Rails (before v2.0) and Django (before v1.2.5). This protection has been proven insecure under a combination of browser plugins and redirects which can allow an attacker to provide custom HTTP headers on a request to any website, hence allow a forged request.
One simple method to mitigate this vector is to use a CSRF filter such as OWASP’s CSRFGuard. The filter intercepts responses, detects if it is a html document and inserts a token in to the forms and optionally inserts script to insert tokens in ajax functions. The filter also intercepts requests to check that the token is present. One evolution of this approach is to double submit cookies for users who use JavaScript. If an authentication cookie is read using JavaScript before the post is made, JavaScript’s stricter (and more correct) cross-domain rules will be applied. If the server requires requests to contain the value of the authentication cookie in the body of POST requests or the URL of dangerous GET requests, then the request must have come from a trusted domain, since other domains are unable to read cookies from the trusting domain.
Checking the HTTP Referer header to see if the request is coming from an “authorized” page is a common tactic employed by embedded network devices due to the low memory requirements. However a request that omits the Referer header must be treated as unauthorized because an attacker can suppress the Referer header by issuing requests from FTP or HTTPS URLs. This strict Referer validation may cause issues with browsers or proxies that omit the Referer header for privacy reasons. Also, old versions of Flash (before 9.0.18) allow malicious Flash to generate GET or POST requests with arbitrary http request headers using CRLF Injection. Similar CRLF injection vulnerabilities in a client can be used to spoof the referrer of an http request. To prevent forgery of login requests, sites can use these CSRF countermeasures in the login process, even before the user is logged in. Another consideration, for sites with especially strict security needs, like banks, often log users off after (for example) 15 minutes of inactivity.
Using the HTTP specified usage for GET and POST, in which GET requests never have a permanent effect, while good practice is not sufficient to prevent CSRF. Attackers can write JavaScript or ActionScript that invisibly submits a POST form to the target domain. However, filtering out unexpected GETs prevents some particular attacks, such as cross-site attacks using malicious image URLs or link addresses and cross-site information leakage through <script> elements (JavaScript hijacking); it also prevents (non-security-related) problems with some web crawlers as well as link prefetching.
Well, this weekend kicks off the North American Viral Infection 2012!
For those who aren’t familiar with this, it’s the title of my tour which will take place one weekend each month as I venture off to visit my Brothers of the IOMC. I initially planned to have traveled to a neighboring state to spend some time with an awesome chapter but after the clutch on my bike gave out and I committed to making the drive in a cage, the brothers of that chapter ended up being out of town this weekend so I suddenly had some spare time on my hands, my ol’ lady with half a day’s vacation, and I wasn’t about to just let the opportunity escape me.
So while I didn’t get to devote the time to Brotherhood, I was lucky enough to spend the time with my wonderful woman. We helped each other relax and escape the responsibilities nipping at our heels- me of the overwhelming urge to work almost nonstop, and her the insatiable maternal instincts or Pavlovian habit of jumping into mom-taxi mode the moment one of the kids beckons. A welcome break from the craziness of real life, sadly ending just a few hours after the start.
Calling it a night earlier than normal as I gear up for some exciting projects this week. I have more video work that I’ve been putting off but will be getting back to, as well as pushing the launch of my CSRF explanation/walkthrough. I am also looking forward to refocusing on some writing. Finally, I’m hunting down more content topics so I’d love to hear what you might like to see the monkeys bang out on the typewriters!
Stay safe out there- I’ll see you around the internet!
This post is a part of a research project and is NOT to be taken for public consumption. Please do NOT click the button below unless you have been directed to explicitly BY ME!
I will not be held responsible for anyone who chooses to use this exploit without full knowledge and understanding of the ramifications of doing so.
I recently switched to Fedora 16 as my primary OS and around the same time I have started doing more recording of recordings, screen captures or web cam sessions and have needed to view, edit, and convert many different types of audio and video files. In setting up this tool set, I ran into the typical Linux downfall of needing to install several media codecs which weren’t packaged with the OS. Yes, I know there are other sources for this, but it’s here for others who find it useful, and useful to me because not only do I how have it close at hand but writing about something always helps commit it to my memory better than not.
Start by adding the RPMFusion repository to Fedora
Visit rpmfusion.org website and enable RPM Fusion on your system.
Open a terminal and run the following command -
su -c 'yum localinstall --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm'
Then we verify the RPM Fusion’s signing keys by simply running the following two commands in your terminal and compare the output with the keys listed on the RPM Fusion keys page. They should match.
gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-15-primary
and gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-nonfree-fedora-15-primary
Next update your system with the new repos in effect. su -c 'yum update -y'
We now have to install the gstreamer restricted plugins via this small download. It shouldn’t take much time to install. su -c 'yum -y install gstreamer-plugins-bad-free gstreamer-ffmpeg gstreamer-plugins-bad gstreamer-plugins-ugly'
I finished these steps and was watching all formats of the videos I needed. This was quick, simple, and effective. I hope you find it useful. Also, if you’re a Windows user and reading, I recommend you give Fedora or Ubuntu a try. These are solid desktop OS alternatives which are free for personal use. Although I will admin Microsoft has vindicated itself in my eyes with Windows7, Supporting the Open Source community will always be my preference as it helps promote the growth of innovators in the industry. Plus, you might just enjoy doing something different.
In today’s society, we have this need to be constantly plugged into the matrix. We want to know what our family, crush, or favorite celebrities are doing and we’re desperate for the attention that comes from broadcasting so others know what we’re up to at all times. This endlessly growing obsession with social media has bred an insatiable need to share, like, retweet, and post everything up to and including things that should stay private. In other words if you tweet me a picture of your junk, don’t be surprised if I tag you in the picture I snap after I blow it off with my very big gun!
Many of you know I recently abandoned Facebook in hopes of bringing my flair, style, & pizzazz to Google+. As a result of this I’ve been given a first hand glimpse of what I’m calling the Social Media Disconnection Disorder. This became apparent to me months ago when I watched several friends and family members become addicted to Zynga games- if you’re interested, ask me about a humorous help desk story on the topic.
On my first Facebook free day, I could only liken the experience to when I quit smoking cigarettes, or that of the only time in my life I ever got headaches due to my caffiene addiction. It was miserable. I had to consiously force myself to NOT log into Facebook, to think about something else, to find another cause to focus that energy on. Twitter or Google+ anyone? I’ve been off Facebook for a month now. I thought for SURE when I stopped posting & moved to g+, zuckerburg himself would have shut down the Facebook offices and followed. while I do check on it to keep tabs on some things in life, I don’t miss it anymore- much easier than quitting smoking.
So whatever your vice, remember that most things are acceptable in moderation. Whatever you choose, enjoy and remember to disconnect and step away from the keyboard on occasion. See you around the internet.
I did this video some time ago for the MicroSolved team and wanted to bring it back up for users who are new, inexperienced, or uneducated about some basic tips that can help keep us safe while using smart phones. The tech most of us carry around in our pockets is more advanced than the spacecraft that carried the first men to the moon, but in order to increase sales they’re marketed to users who don’t even qualify as “tech savvy” let alone rocket scientists. So here are 3 quick and easy tips that can help to improve your chances of staying secure in our “always-on” society:
So this post is to commemorate a very odd event in my life- my 5000th post on Twitter.
When I first heard about twitter I was against it. Who the hell cares what you have to say in 140 characters or less while you’re standing in the line at the grocery store? I, for one, do NOT. But as I started my journey into the world of Info Sec, I realized how convenient it was to have access to a wide audience and to such a wide range of perspectives from around the world in real time. As Twitter got more popular, it became a great crowd-sourcing tool allowing me to promote, educate, rant, and inquire (among other things) with people around the world with varying interests, backgrounds, and experiences who could provide some really useful information. We have seen news unfold on Twitter faster than any other medium known to man. From political issues tweeted in troubled countries, to natural disasters and major catastrophes, to the assault and death of Osama Bin Laden, Twitter allows us to connect like nothing else before it.
Tweet-ing has become a verb that I hear daily. The Fail Whale has become a modern icon, and hash tags are EVERYWHERE these days. Twitter has had a huge impact on our global culture in an astonishingly short amount of time. Twitter has integrated itself into our lives in ways that we’d never envisioned. It’s odd, for me as one to have rebelled against Twitter for so long, to admit that I have a hard time imagining life without Twitter or to say that in the Social Networking Race, Twitter and Google+ recently won my allegiance over Facebook or any other solution thus far. And now, you’re sharing my 5000th tweet with me- I hope you’ve gotten some value from my posts.
Anyway, thanks for your continued support! I hope to continue to offer my perception on any topics that arise- if you have something you’d like to hear my point of view on, let me know! I’m always looking for fresh content and stuff that doesn’t bore you to death! I can’t wait for the road trips to begin- February is just around the corner! The goal is 15,000 miles this year, but THAT is a whole other blog post!
Warning: fopen(/home/content/a/d/v/adv0c4t3/html/pgrimes/wp-content/plugins/wp-google-plus-one/lib/standard.txt) [function.fopen]: failed to open stream: No such file or directory in /home/content/a/d/v/adv0c4t3/html/pgrimes/wp-content/plugins/wp-google-plus-one/plusone.php on line 104
Warning: fread(): supplied argument is not a valid stream resource in /home/content/a/d/v/adv0c4t3/html/pgrimes/wp-content/plugins/wp-google-plus-one/plusone.php on line 105
Warning: fclose(): supplied argument is not a valid stream resource in /home/content/a/d/v/adv0c4t3/html/pgrimes/wp-content/plugins/wp-google-plus-one/plusone.php on line 106
.
