ITS Blog

IT Security blog – about up to date topics on IT security

Dear reader,

maybe you wondered that I did not post since my announcement on “Hacking a website”. The reason, for this is very simple: I am currently sick.

Hopefully I will be able to publish mid till end of the week.

stay tuned.

In the next weeks I would like to hack a website together with you in order to have a deep look into the web security area.

It will be shown how hackers are trying to execute code on a website and which  typical problems can occur in case a programmer writes code for a highly dynamical website. Additionally cross site scripting will be explained on real life example.

Isn’t it illegal?

Well, in general it would be. But in our case we will hack  a website on our own machine.

Therefore I will introduce you in the first article to an Web Application which is vulnerable. This application can be downloaded as some kind of an disk image from the Internet. It is legal and free to use. But please be aware to not put this application to a computer which can be accessible through the Internet. The application is so vulnerable that an attacker on the Internet could easily get full access to your computer.

This application has been developed for training purpose in order to teach developers how a hacker is thinking and how easy it can be for an attacker to do harmful things.

To prepare yourself in advance, I recommend to install Virtual Box which is a free to use virtualization system, which can boot ISO images (a file representing the content of a CD/DVD) and is able to  run on Windows, Linux, OS X or Solaris.

As an alternative you can burn the images to an CD/DVD and boot them up on a spare system.

Yesterday (August, 5th, 2010) the BSI (federal office for security in information technologies), a governmental organization in Germany issued a warning against devices with IOS on them.

Affected are:

  • Iphone with version 3.1.2 to 4.0.1
  • Ipad with version 3.2 to 3.2.1
  • Ipod Touch with version 3.1.2 to 4.0
  • possible devices with older versions as well

The problem is located in the ability to view PDF files on them. Using this hole, an attacker could run his own code on the devices. The attacker is able to evade the sandbox, which means all the data on the device are at risk, not limited to, but including: GPS location, SMS, passwords, emails and contact informations.

For the full warning have a look at the BSI(german).

Their suggestion is:

  • Do not open PDFs on your device
  • visit only trusted sites with your device
  • Do not follow links in emails or websites you do not trust.
  • If you are using Search engines like google, do not click on PDFs

These guidelines should be followed until there is an software update fixing the problem.

Last night I took the opportunity to download the leaked data via Torrent service.

To make it short the data contained:

  • the full names of the available profiles.
  • some agregated information like first names, sorted and counted
  • a script to crawl by yourself.
  • a list of 170.879.859 URLs leading to a miniature picture of your profile image and a list of 8 of your friends.

At the end the profiles were just user names. To have a look at a profile you need to be loged in.

What Ron did was similar to automatic scans of phone books and publishing them to Internet.

On 28th of July 2010 a news was spread that 100-170 million sets of “user data” was leaked from facebook [see arstechnica, bbc, heise (german) or skullsecurity]. Ron Bowes, a security researcher, created a program, which crawled through the public available User directory of facebook. The crawler checked each and every profile, which was mentioned there and stored the available information.  Since then I heard a lot of people speaking about a privacy problem on facebook.

But what happened really?

Facebook and some users have a huge interest in being found by Google and other search engines. Therefore there is a switch inside the profiles which allows the users to define, which part of information is available to whom. There is also a special switch inside the privacy setting to make the profile public searchable.

To make the users public searchable, facebook opened a directory: Facebook directory

In this directory every user is listed, who allowed facebook to make the profile public searchable.

Beside this option there are others, through which the facebook user allows people to view certain details. This begins with pictures and ends with contact information. All the informations the users added and allowed for all people to view end up in the public searchable profile.

This leads to the point, that it is up to the user if he is available to search engines and being available to search engines means being available to crawlers.

The rest is simple programming and scripting. The attacker write a small crawler which visits each page and saves it to the disk. There are even tools available, which can do the task out of the box. Ron made the data afterwards available via Torrent, a common filesharing system.

It you want to check which information is available there, go to the Facebook directory and have a look by yourself.

Another interesting aspect of this issue is that some big companies downloaded the crawled data. According to gulli.com inside this list are also organizations like scientology. For a full list of companies visit gulli.com. Unfortunately the link is in German.

Today, I am officially starting my IT-security blog. I am planning to blog about interesting topics on IT security related issues.

In case you are curious about me; I worked several years as Infrastructure Group Lead and Information Security Trustee for the World market leader in Customer Care & Billing – Amdocs and decided to leave in order to start the adventure of going back to university. So there I am in the 3rd semester of master studies in IT-security from which I am profiting quite much. From now on I would like to share the most interesting parts and newsworthy issues with you.

Questions, comments and remarks are always welcome.

During the weekend I was participating a hacker camp in Luxembourg. Beside the really shitty weather, it was a great experience.The event was organised by syn2cat and CCC letzebuerg.

There were a lot of talks on a huge number of topics:

  • biomods
  • otrkeys
  • de-anonymisation
  • malware analysis
  • … and many others

Thanks to the organizing team… It was a great fun.

I can only recommend everyone to join the next event. For the moment it is not clarified if it will be next year. As soon as there is any info I will publish it on this blog.