miércoles, 22 de mayo de 2013

Leak mortal

Hace años que las bases de datos de los sitios web son hackeadas y suponemos que gracias a la información obtenida, hay personas y empresas que pierden cuentas, valores en Internet, imagen, privacidad y dinero. Han habido leaks que quizás llevaron a que soldados, agentes encubiertos o informantes fueran apresados o muertos, pero son personas que actuan por convicción o dinero y al participar deberían aceptar o al menos conocer las reglas.

El último leak interesante fué contra la policía en Sudáfrica[1], donde se pueden ver las denuncias de víctimas e informes de delatores.


Supongo que ahora esperarás que haga la crítica habitual a los diseñadores, desarrolladores y administradores por no haber protegido el sitio de sqli, por no haber encriptado los datos. Bueno, ya está, ahí lo hice.

En esta ocasión me interesa más el punto de vista del que está en la lista.


Como se puede apreciar a ojo, dos de cada tres de las denuncias asociadas a palabras interesantes no tiene nombre, probablemente se trate de denuncias anónimas. ¿Y el tercio restante?



total con nombre
drugs 285 120
murder 252 173
kill 565 402
kidnap 32 25
gang 129 94
rape 216 151
total 15796 12501



El escenario que yo imagino es este: algún criminal que fué apresado por una denuncia pero no supo nunca quien lo denunció, la encuentra en el leak, con el nombre, teléfono, ciudad y mail del denunciante. ¿Sigo?

Reflexioná. Si sos informático, no seas el responsable de esto.

(actualización: de paso nos enteramos de quién ha sido víctima de violación y otras cosas que a la gente le encanta que difundan sin permiso)

Y no olvides que cada palabra que pongas acá en Internet, vivirá por siempre[2] y si no la usa algún criminal informático antes, irá a un data warehouse y el año que viene o dentro de diez años cuando cambie lo que es "políticamente correcto", será correlacionada con algún pecado y la vas a pagar.


[1] http://www.itweb.co.za/index.php?option=com_content&view=article&id=64268:SAPS-hack-spells-negligence&catid=265

[2] http://en.wikipedia.org/wiki/Big_data

miércoles, 15 de mayo de 2013

Cheat Sheet cultura seguridad

Cheat sheet siempre me suena a eat shit, pero bueno, es un problema que tengo.

Las instrucciones para construir la demo están en [1].

Estamos viendo de hacer pronto la segunda parte, permanecé en sintonía.

Comparto con los asistentes al meetup[2] y cualquier otro interesado, la hojita que mostré con las listas de conceptos que me parece útil tener en cuenta.

Está en beta, hay cosas que faltan, vale volver en unos pocos días. La pongo en inglés por que es como me manejo habitualmente, pero si alguien necesita que la traduzca, me lo pide e irá al backlog.

[1] http://seguridad-agile.blogspot.com/2012/09/cafein.html
[2] http://www.meetup.com/agiles-bsas/events/118145402/

Information Security Principles

  • Confidentiality
  • Integrity
  • Availabiliy

Information Access Properties

  • Authentication
  • Authorization
  • No repudiation

Design Principles (Saltzer, Schroeder)

  • Economy of mechanism
  • Fail-safe defaults
  • Complete mediation
  • Open design
  • Separation of privilege
  • Least privilege
  • Least common mechanism
  • Psychological acceptability

Other concepts

       

    Threat modelling

    OWASP Application Threat Modelling

     

    STRIDE

    • Spoofing identity
    • Tampering with data
    • Repudiation
    • Information disclosure
    • Denial of service
    • Elevation of privilege

    DREAD

    • Damage
    • Reproducibility
    • Exploitability
    • Affected users
    • Discoverability

    Taxonomies

    Seven Kingdoms

    1. Input validation and representation
    2. API abuse
    3. Security features
    4. Time and state
    5. Errors
    6. Code quality
    7. Encapsulation
    8. Environment

    Checklists

    OWASP Top Ten 2013

    1. Injection
    2. Broken authentication and session management
    3. Cross-site scripting (XSS)
    4. Insecure direct object reference
    5. Security misconfiguration
    6. Sensitive data exposure
    7. Missing function level access control
    8. Cross-site request forgery (CSRF)
    9. Using components with known vulnerabilities
    10. Unvalidated redirects and forwards

    SANS top 25 software errors

    1. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    2. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    3. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
    4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    5. Missing Authentication for Critical Function
    6. Missing Authorization
    7. Use of Hard-coded Credentials
    8. Missing Encryption of Sensitive Data
    9. Unrestricted Upload of File with Dangerous Type
    10. Reliance on Untrusted Inputs in a Security Decision
    11. Execution with Unnecessary Privileges
    12. Cross-Site Request Forgery (CSRF)
    13. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    14. Download of Code Without Integrity Check
    15. Incorrect Authorization
    16. Inclusion of Functionality from Untrusted Control Sphere
    17. Incorrect Permission Assignment for Critical Resource
    18. Use of Potentially Dangerous Function
    19. Use of a Broken or Risky Cryptographic Algorithm
    20. Incorrect Calculation of Buffer Size
    21. Improper Restriction of Excessive Authentication Attempts
    22. URL Redirection to Untrusted Site ('Open Redirect')
    23. Uncontrolled Format String
    24. Integer Overflow or Wraparound
    25. Use of a One-Way Hash without a Salt

    domingo, 5 de mayo de 2013

    w3af on raspberry pi

    w3af on raspbian (debian 7.0)

    Si necesitas versión en español, pídela y la haré.

    Update: check http://seguridad-agile.blogspot.com/2015/11/choco-pi.html for a cool and tasty case 

    Dreaming about plugging in a tiny box in a free port, wait a few minutes and walk away with a network scan and a vulnerability assessment in your pocket? Perhaps running an automated exploit too? So are you ready for load average: 2.85, 2.40, 1.72? You are not alone.


    Step 0

    Install raspbian[1] on your raspberry pi B[2]

    $> sudo apt-get update
    $> sudo apt-get upgrade

    First attempt

    Install w3af[3] from the repos

    $> sudo apt-get install w3af

    $> w3af_console

    /usr/bin/w3af_console: 3: /usr/bin/w3af_console: /usr/bin/python2.5: not found

    $> whereis w3af_console

    w3af_console: /usr/bin/w3af_console

    $> cat /usr/bin/w3af_console



    Rename python2.5 to python, bad start.

    $> w3af_console

    28 seconds later...



    w3af>>> profiles
    w3af/profiles>>> use fast_scan
    The plugins configured by the scan profile have been enabled, and their options configured.
    Please set the target URL(s) and start the scan.

    w3af/profiles>>> back
    w3af>>> target
    w3af/config:target>>> set target http://192.168.1.102/
    w3af/config:target>>> back
    w3af>>> start
    Auto-enabling plugin: grep.error500
    The thread: <WorkerThread(Thread-9, started daemon -1319824272)> raised an exception while running the request: <bound method fingerprint_404._send_404 of <core.controllers.coreHelpers.fingerprint_404.fingerprint_404 instance at 0x1a8d3c8>>
    Exception: w3afMustStopException found by _send_404, someone else will handle it.
    The thread: <WorkerThread(Thread-14, started daemon -1361767312)> raised an exception while running the request: <bound method fingerprint_404._send_404 of <core.controllers.coreHelpers.fingerprint_404.fingerprint_404 instance at 0x1a8d3c8>>


    try again...
     
    w3af>>> version
    w3af - Web Application Attack and Audit Framework
    Version: 1.1 (from Debian Package 1.0-rc3svn3489-1)
    Author: Andres Riancho and the w3af team.


    oops! it's too old! but its new! I've just installed it from the repo! I can not ask for help: "Please upgrade to the latest version". We have to clean up the mess.


    # dependencies.pl

    # parses an apt log searching for a package
    # and prints all the packages that were 
    # installed to fulfil it's dependencies.

    my $found = 0;
    my $stop=0;
    my $result='';
    while (( $line = <> ) && !$stop) {
      chomp;
       
      if ($found==1) {
        foreach my $val (split(' ', $line)) {
          if (! ( $val =~ m/[()]/ ) and ! ($val =~ /Install/ )) {
            my ($name,$arch) = split(':',$val);
              $result .= "$name ";
            }
          }
          $stop=1;
       } elsif ($line =~ m/Commandline: apt-get install w3af/) {
          $found=1;
       }
    }
    print $result . "\n";


    Run this script to remove w3af and it's dependencies.

    $> sudo apt-get remove $( cat /var/log/apt/history.log | perl dependencies.pl)

    Second attempt

    Install w3af from github.

    $> git clone https://github.com/andresriancho/w3af.git

    $> ./w3af_console

    It will start crying for dependencies, be kind with it and resolve them:

    $> sudo apt-get install python-setuptools git libxslt-dev python2.7-dev libsqlite3-dev libxml2-dev python-pip



    $> sudo pip install PyGithub GitPython pybloomfiltermmap esmre nltk pdfminer futures pyOpenSSL lxml scapy-real guess-language cluster msgpack-python python-ntlm


    $> sudo pip install -e git+git://github.com/ramen/phply.git#egg=phply

    Run it again and again

    $> ./w3af_console
    $> sudo pip install chardet
    $> sudo pip install -e git+git://github.com/ramen/phply.git#egg=phply

    $> ./w3af_console

    Do you accept the terms and conditions? [N|y] y







    I'd only tried the console because I don't have an hdmi monitor and did not want to burn my eyes with the tv output, so I used ssh from a "real" computer.




    Later, I connected with ssh -X and tried the gui:

    $> ssh pi@192.168.1.105 -X

    $> ./w3af_gui


    Resolve until it runs

    $> sudo apt-get install graphviz python-gtk2 python-gtksourceview2

    $> sudo pip install xdot




    If you are using a 2GB card like me,

    rootfs           1838936 1488260    257636  86% /

    keep an eye on df. If you are running out of space, remember to purge /var/cache/apt/archives. pip does not keep temporary files, but apt-get installs the packages in the root partition. Remember that 4GB is the recommended size.

    I am using an extra pendrive with ext4 to host w3af with no problems.

    Some people would say "why didn't you use http://pwnpi.sourceforge.net?[4]"

    Well, it's more fun this way and learn about it later and I don't have another sd card.

    (update: there is a pretty list at http://resources.infosecinstitute.com/pentesting-distributions-and-installer-kits-for-your-raspberry-pi/ )

    One way or another, the nerd thing:

    Step two

    Be careful, don't fry your computer


     



    Thanks to Andrés Riancho from w3af for the advice on monitoring w3af.

    There is a single file [5] to modify.

    First you have to import gpio and add some setup code



    import RPi.GPIO as GPIO
    GPIO.setmode(GPIO.BCM)
    GPIO.setup(channel, GPIO.OUT) // for each channel


    Then you turn on the leds

    GPIO.output(channel, True/False) // for each channel


    Event based blinking effect without PWM

    GPIO.output(channel, not GPIO.input(channel))

    I left this out in order to keep the leds on when the script is over

    GPIO.cleanup()

    update: Andrés asked me for the code, here it is:

    diff --git a/core/controllers/core_helpers/status.py b/core/controllers/core_
    helpers/status.p
    index 8aa19bf..353f154 100644
    --- a/core/controllers/core_
    helpers/status.py
    +++ b/core/controllers/core_
    helpers/status.py
    @@ -19,6 +19,7 @@ along with w3af; if not, write to the Free Software
     Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

     '''
    +import RPi.GPIO as GPIO
     import time

     import core.controllers.output_
    manager as om
    @@ -33,6 +34,12 @@ class w3af_core_status(object):
         the different methods to (get) the information required.
         '''
         def __init__(self, w3af_core):
    +        GPIO.setmode(GPIO.BCM)
    +        GPIO.setup(25, GPIO.OUT, initial=GPIO.LOW)
    +        GPIO.setup(24, GPIO.OUT, initial=GPIO.LOW)
    +        GPIO.setup(23, GPIO.OUT, initial=GPIO.LOW)
    +        GPIO.setup(4, GPIO.OUT, initial=GPIO.LOW)
    +
             # Store the core to be able to access the queues to get status
             self._w3af_core = w3af_core
            
    @@ -49,6 +56,8 @@ class w3af_core_status(object):
             # The current fuzzable request that the core is analyzing at each phase
             # where a phase means crawl/audit
             self._current_fuzzable_request = {}
    +        print "#### INIT ####\n"
    +        GPIO.output(25, True)

         def pause(self, pause_yes_no):
             self._paused = pause_yes_no
    @@ -81,6 +90,8 @@ class w3af_core_status(object):
                 audit_fr = self.get_current_fuzzable_
    request('audit')
                
                 if crawl_plugin == audit_plugin == crawl_fr == audit_fr == None:
    +                print "#### STARTING SCAN ####\n"
    +                GPIO.output(24, True)
                     return 'Starting scan.'

                 status_str = ''
    @@ -110,6 +121,8 @@ class w3af_core_status(object):
             self._running_plugin[plugin_
    type] = plugin_name
             self._latest_ptype, self._latest_pname = plugin_type, plugin_name
    +        print "#### SET RUNNING PLUGIN: %s ####\n" % plugin_name
    +        GPIO.output(23, not GPIO.input(23))

         def get_running_plugin(self, plugin_type):
             '''
    @@ -129,6 +142,9 @@ class w3af_core_status(object):
             :return: If the user has called start, and then wants to know if the
             core is still working, it should call is_running() to know that.
             '''
    +        print "### RUNNING ###\n"
    +        GPIO.output(23, not GPIO.input(23))
    +
             return self._is_running
        
         def is_paused(self):
    @@ -170,6 +186,10 @@ class w3af_core_status(object):
             self._is_running = False
             self._running_plugin = {}
             self._current_fuzzable_request = {}
    +        print "### SCAN FINISHED ###\n"
    +
    +        GPIO.output(23, True)
    +        GPIO.output(4, True)

         def get_current_fuzzable_request(
    self, plugin_type):
             '''
    @@ -282,11 +302,10 @@ class w3af_core_status(object):
                           ' ETA (%(aeta)s)\n'
                          
             status_str += 'Requests per minute: %(rpm)s'
    -       
             return status_str % data

     def round_or_None(float_or_none):
         if float_or_none is None:
             return None
         else:
    -        return round(float_or_none, 2)
    \ No newline at end of file
    +        return round(float_or_none, 2)



    References

    [1] http://www.raspbian.org
    [2] http://www.raspberrypi.org

    [3] http://w3af.org
    [4] http://pwnpi.sourceforge.net
    [5] https://github.com/andresriancho/w3af/blob/master/core/controllers/core_helpers/status.py
    [6] http://code.google.com/p/raspberry-gpio-python