Penetration testing blog

I just found this somewhat excellent article on Winzip encryption by Dave Whitelegg who took the job of analyzing the different types of encryption provided by Winzip and proceeded to test them out to see how efficient they really are in real-world usage.

The url of the article is the following:

http://blog.itsecurityexpert.co.uk/2008/01/winzip-encryption-password-security.html

I fully recommend going through the entire article. The question on whether using Winzip encryption is fair or not tends to come up when talking about deliverables. If you have to send a series of deliverables that carry sensitive information (a draft or final report, slides, anything) to a client who doesn’t really use pgp/gpg nor any kind of secure communication channel, then you’re looking at either crafting a self-decrypting archive through PGP Desktop, some other option, or using Winzip encryption.

The article discusses what you need to be aware of, if you are planning on going for Winzip encryption.

Basically the main points are:

• Don’t use Winzip encryption prior to Winzip version 9. Earlier versions carried a home-grown implementation that was broken several times.
• Use AES, and go for the key-size of your will (the bigger the better you could say)
• Your password NEEDS TO BE (and don’t break any of these rules, cause that’s what makes the protection strong):
  • At least 12 characters in length
  • Be random not contain any dictionary, common words or names
  • At least one Upper Case Character
  • Have at least one Lower Case Character
  • Have at least one Numeric Character
  • Have at least one Special Character e.g. $,£,*,%,&,!

•  Even if a file is protected/encrypted, Winzip permits you to browse around the directory structure, having access to the names of the encrypted files. Therefore it wouldn’t make sense to protect your super-secret client in bananas.zip if inside you’re going to find Report - Super Secret Client Name here - 2008.pdf

And that’s it. I guess one final comment would be that Winzip is not free. Have that in mind, we’re talking about a commercial application here.

Enjoy your day!

And then again! I suddenly got interested in old technology. I found this excellent article that was published back on Phrack’s magazine #37 in 1992 called “Card-O-Rama: Magnetic Stripe Technology and Beyond” - which really gets you into magnetic card technology.

If you never cared about how the 1 to 3 magnetic stripes on the back of your credit card, supermarket card, .. work, then you better start reading this somewhat old but somewhat up-to-date paper

You should use this article along with some other sources of information - I’ll give you some wikipedia links too. Unlike with barcodes, if you want to get the technology you need to start _researching_ around with this, you’re going to get a headache. There are somewhat cheap magnet card readers out there… but I hope you weren’t thinking of using your laser printer to print the 3 stripes on the back of a blank card. In case you want to create your own cards, you need to get a card writer, and that’s where the headache starts.

A dozen of years ago if you wanted to get a writer you would get lots of questions in return. Why? Who are you? With what purpose? Now in 2007 it changed… a little. You can go ahead and find reader/writers on eBay but look at the damn prices! You may not get questions in return but you get high prices to keep you from buying any. But then again, if you REALLY want to start learning, you need to give some cash.

I found a model @ eBay called MSR 206 which is around ~400 bucks in the US and probably turns a lot more expensive anywhere else other than Taiwan Here’s the link.

http://search.ebay.com/search/search.dll?sofocus=bs&satitle=MSR206

So getting back to the documents, here’s the Phrack article:

“A Day in the Life of a Flux Reversal”
http://www.phrack.org/issues.html?issue=37&id=6#article

And a wikipedia entry:

“Magnetic stripe card”
http://en.wikipedia.org/wiki/Magnetic_stripe_card

Keep on learning!

A few days ago I found the following presentation by FX of Phenoelit @ the Chaos Communication Congress related to Barcode technolgy in 1D and 2D format. The one dimensional format is the typical format you’re most familiar with, mostly used to tag books and originally created to tag Cars. And then the 2D format is the latest one, also called matrix code (rings a bell?) and for both the 1-D and 2-D there are several interesting variations. For instance, “Data Matrix” is a type of 2-D code where using white and black squares you can get data in forms of ASCII art.

Anyhow, once you read the following PDF it gets you thinking. How old and usually vulnerable this technology is and then again how much we use it. And *for experimental, research and educational purposes only* what kind of projects you could start working on.

Along with the PDF I include a couple of links. Getting a barcode reader is very cheap and your local laser printer can most likely print any barcodes you want.

So once in a while it’s nice to leave the web aside and focus your mind on other technology.

The PDF I just mentioned can be found at the following page:

http://events.ccc.de/congress/2007/Fahrplan/events/2273.en.html

Take a look at the following definitions:

http://en.wikipedia.org/wiki/Barcode

http://en.wikipedia.org/wiki/Data_Matrix

http://en.wikipedia.org/wiki/Aztec_Code

You have at wikipedia a whole list of links to the different variations of 1-D and 2-D barcode symbols.

Yes, just as you read in this article’s title - it’s insane and far from being true.. but the question is.. how far? Take a look at this article from wired.com - http://www.wired.com/politics/security/news/2008/01/dreamliner_security

They are stating that “The computer network in the Dreamliner’s passenger compartment, designed to give passengers in-flight internet access, is connected to the plane’s control, navigation and communication systems, an FAA report reveals.” which is hard to believe but if it was the case, then I would simply stop flying those damn planes

I know and believe me _I know_ how distorted a story arrives to the media. As with any non-critical security vulnerability that arrives to the press, ends up being the-end-of-the-world as in a Tom Cruise movie.

Either way, my experience is that *thank god the passenger interfaces are isolated* - I once took a plane that had multiplayer gamming software in each seat. I believe it was from ALITALIA. You were able to invite other seats into playing with you, through standard games or you could also play old Mame games (which rocked) but that was a single plane and then there’s the standard small-screen with digital phone planes. They are equipped by default with a joystick behind the phone but unluckily never used by the company. I have seen live how by messing around with the digital phone control, not only your screen can core-dump but a whole column of seats behind you as well. I’m not saying *how* so this is partial information, I’m not feeding any terrorists out there with new information

If they isolate one network from the other with firewalls, anyone flying that plane is screwed. If they isolate one network from the other with anything other than real physical isolation that isn’t the output of a programmer, then anyone flying that plane is screwed.

Good luck on your next trip!

This a quick note and probably offtopic, probably not. But if you ever have a server dedicated to hosting multiple clients - you’ll want to remember this. It is very common for clients to install buggy software that ends up posing a threat to your hosting server. Either because a new vulnerability was disclosed and is unpatched, or simply because the installed software lacks any security at all.

As a result, one or more of your clients get hacked by worms. Worms tend to use the following commands while exploiting vulnerable software in order to download large pieces of payload that later get executed in order to mess things up even more. So we could say there’s stage 1 when the script gets hacked and let’s say a ‘command injection’ vulnerability is exploited, and stage 2 when the first small exploit downloads and executed the real thing, the malicious payload.

If you get to stage 2, then you’re lucky or in a big problem (start identifying the damage) - but the idea is to prevent one or more stage 2 situations. You don’t end up fixing a vulnerable script, no, but at least you lower the impact of the first automatic exploit.

The binaries that I tend to chmod to null (000)  and by experience (ouch!) used by worms are:

• wget
• curl
• lpdownload
• GET
• links
• lynx

It *really* helps prevent large disasters.  By NO MEANS this is the solution, no, but just a tip for webmasters.

Enjoy!

If you’re ever going to mess with Voice Over IP, then check out the following blog - it is all about VOIP Security.

http://voipsa.org/blog/

Just wanted to share that quick link - I’ll be writing something related to VOIP pentesting soon.

It’s been a long time. I wanted to share a nice link related to ORACLE SQL Injection. If you’re used to MSSQL/MySQL injection scenarios then anytime you run against an ORACLE server you’ll feel something’s wrong, something’s different.

For instance, string concatenation is different. No longer %2B’s (+ character) but rather %7C’s (pipe characters).

Take a look at the following site, it’s the “ORACLE SQL Injection Cheat Sheet”:

http://ferruh.mavituna.com/makale/oracle-sql-injection-cheat-sheet/

Have fun.