Really? Haha, No…

forensics15

Over the weekend, I participated in GoogleCTF2017, my first Capture The Flag (CTF) event. It was both humbling and exciting.  

If you asked me three days ago what was the absolute worst thing someone could say to me, I would have given a completely different answer than today, but today, my answer is ‘Really? Haha, no…’ a phrase I heard way too many times as I worked through the challenges trying to find flags.

In a CTF, each team has a set of challenges that needs to be solved in order to find the flag and grab the points. The flag is usually a piece of code =>CTF{this-is-a-flag}<=.  

CTF competitions touch on many aspects of information security including cryptography, steganography, reverse engineering, forensics, and other topics.

There are three common types of CTFs 

  • Attack and Defend
    • Red Teams (Offense) vs. Blue teams (Defence) actively attacking and defending network infrastructures.
  • Jeopardy.
    • Challenges are broken up into multiple topics ranging from easy to difficult, to insane. 
  • Mixed.
    • Varied formats. Depends upon the host of the event.

GoogleCTF2017 was set up as a Jeopardy-style event, and it turns out that I knew more than I thought; Moreover, it was a wonderful experience competing against peers and picking up mad new skills while expanding upon my security knowledge.

In order to increase my skills in preparation for this CTF (and many others to follow), I used the websites below to practice and train.

As a Front-end developer, knowing how to exploit your own web applications before a cyber criminal can is critical and Google Gruyere is an invaluable resource. You ‘learn by doing’ and in that process, you come to understand how applications can be attacked using cross-site scripting vulnerabilities (XSS) and cross-site request forgeries (XSRF). Additionally, it allows the user(s) to find, fix, and avoid vulnerabilities and other bugs that have an impact on security including

  • Denial-of-service (DoS)
  • Information disclosure.
  • Remote code execution.

However, the greatest part of the weekend I have neglected to mention so far was the elation you feel when you use tactics and exploits to find a flag, and it works, i.e., ‘you have successfully hacked something, and you captured a flag.’ Today, I realized, I belong in this field.

Results:

995 points, six challenges, ten hours, two days.

  • 1 Miscellaneous
    • Start Here (FAQ)
  • 3  Crypto Challenges
    • Crypto Backdoor
    • Introspective CRC
    • Shake it
  • 1 Pwn
    • Inst Prof
  • 1 Web
    • Joe

You don’t have to be an expert in order to compete in a CTF. You just need an unrelenting curiosity and passion to never quit!  The purpose of the competition, besides capturing the flag,  is to recognize your strengths and more importantly your weaknesses. CTFs require a great deal of work and dedication but are highly rewarding. Strive for excellence.

ctf_tools_1_dark_sd

‘Know Thy Enemy,’ Distributed Denial of Service or DDoS.

images

We all know the axiom ‘know thy enemy’ – and this is above all germane to DDoS attacks.

Cybercriminals and their tactics are always evolving, becoming more dangerous and harder to detect by the day.

Unlike a Denial of Service (DoS) attack, in which a single Internet-connected device causes disruption and destruction. DDoS attacks are launched from numerous compromised devices, often dispersed globally in what is referred to as a botnet and controlled remotely by the botnet herder using a covert channel, such as Internet Relay Chat (IRC).

Some of the larger botnets whose name comes from the malware used to infect them are estimated to be in the millions of bots including  Zeus or ZbotConficker, and BredoLab or Oficla to name a few.

It is estimated that upwards of 3000+ websites fall victim to DDoS attacks daily. Regardless if the websites are back up and running the same day, damages to both revenue and customer and/or client trust can follow organizations for years.

The primary purpose of the DDoS is to overload network layers with a substantial amount of outwardly legitimate traffic.  Ultimately the traffic consumes a disproportionate amount of bandwidth within and/or outside of the network and pushes network operations to become excruciatingly sluggish or basically nonfunctional.

Adding to the confusion, botnet servers can be controlled either by a single botnet herder or by multiple herders. Ultimately, at any given DDoS attack there can be multiple origins and multiple controllers making it much more complicated to mitigate than attacks originating from a single source.

The aggressiveness of DDoS attacks was illustrated last year by the Mirai Botnet in which the attacks besieged several systems using corrupted Internet of Things (IoT) devices. iot

The expectation of IoT is upwards of 25 Billion televisions, refrigerators, watches, thermostats, and other connected devices by 2020; most with minimum to zero security in order to prevent malware infections. Resulting in an unknown amount of IoT devices ending up as mindless bots caught up in a criminal botnet.

To make matters worse, roughly 40 percent of malicious bots are able to emulate human behavior. Not only do the malicious bots deceptively present themselves to websites as legitimate bots, but they can also persistently change identities.

The infrastructure which enables these attacks is also increasing rent_a_botnet_ddos_for_hire_botnet_service_02dramatically. Anyone with mal intentions can easily purchase on-demand botnet services for DDoS attacks.

They are readily available from multitudes of online sources; for as little as $5 an hour to $40 per day; Cloaked behind the definition of  Booters or stressers services.

They are also referred to as ddoser, ip stresser, ddos tools and ddos programs. No matter the name, they all provide the same service- providing paying customers with on-demand DDoS attack capabilities, at will.

Below find some of the more well-known Booters and Stressers which are easily accessed on the Internet.

NetworkStresser.com

120GB/s of combined power. Takes down everything. Working Skype resolver. Active support. Multiple payment options.

Betabooter.com

100GB/seconds. Easy to use. API. Insane Power. Accepts Paypal.

Critical-Boot.com

Good Power. Easy to use source. PayPal/Credit cards and 15% off Bitcoin. Build Your Plan.

There are three standard types of DDoS attacks including Volumetric, Application, and Protocol attacks.

Volumetric Attacks utilize massive amounts of traffic inundating the bandwidth of the host.

Volumetric attacks are generated by employing amplification techniques which primarily elicit server responses that are disproportionate to the original packet request sent; ultimately completely blocking access to a website or service. The extent of the attack is measured in either bits or packets per second. Domain Name System Servers (DNS) Amplification being a well known volumetric attack.

DNS amplification is an asymmetrical attack in which the dns amplificationcriminal exploits vulnerabilities in DNS servers, i.e., ‘The Internet’s Backbone’ by manipulating publically-accessible domain name system servers by querying the DNS with spoofed or ‘faked’ target IP’s and making them flood a server with large quantities of User Datagram Protocol (UDP) packets.

This results in small queries being turned into massive payloads that can ultimately be used to bring down even the most robust server(s).

Moreover, DNS amplification attacks often relay the exploited DNS requests through one or more botnets, radically increasing the volume of traffic and making it that harder to track the attacker(s) identity(s).

osi-modelApplication Attacks exploit a weakness in the Layer 7 or as the name suggests the application layer.

The cyber community, in general, agrees that application attacks are both the most sophisticated and the most challenging to identify and/or mitigate.

Application attacks begin with making a connection with the host then it exhausts the dnshost’s resources by controlling processes and transactions. DNS Flood attacks are the most well known.

DNS floods are a symmetrical attack that endeavors to exhaust server-side assets like memory or CPU, with an inundation of UDP requests, generated by malicious scripts running on multiple botnet machines. The criminals will often target one or more DNS servers belonging to a specified zone, with the goal of obstructing and overwhelming the resolution of resource records of that zone and its subzones.

Protocol attacks specifically exploit weaknesses in the Layer 3 and Layer 4 protocol stack by consuming all the processing capacity of the intermediate critical resources like a firewall causing service disruption; With the most notorious attack being the Ping of Death.

A ‘ping’ is part of the Internet Control Message Protocol (ICMP) which is a networking utility that determines whether or not a host is reachable. The ICMP request packet is sent to the host, which the host then responds with an ‘echo’ reply. The size of an accurately formed ICMP request packet should be no larger than 65,535 bytes; anything larger is in violation of the Internet Protocol.ping of death

Criminals, in turn, send malformed packets in fragments as fast as possible in which the host attempts to assemble using up bandwidth. This leads to a packet size which violates the internet protocol of 65,535 bytes causing a buffer overflow, and eventually causing the host to crash and become unavailable for legitimate users. This is a Ping of Death DDoS attack.

DDoS scripts are written most often in Python, PHP, or Pearl and refers to malicious software that enables the execution of DDoS attacks.Each script can diverge in severity, ease of use and impact and attacks at the application layer.

Some of the DDoS scripts available for free on the internet (too many to list) include

LOIC  (Low Orbit In Canon)

LOIC was made famous by the hacker group Anonymous. It is easy to use especially for beginners, because of its easy-to-use GUI; all you need is the URL of the IP address of the server. LOIC performs the DOS by sending UDP, TCP, or HTTP requests to the victim server.

XOIC

XOIC comes with an easy-to-use GUI, so all levels can easily use it to perform attacks on servers and websites anonymously and secretly. All that is required is an IP address.

XOIC has three methods including, Test mode; Attack mode; Attack mode with a TCP/HTTP/UDP/ICMP Message.

TORsHammer

Tors Hammer is written in Python, and it is a slow post tool* that can be run through the TOR network** and can kill most unprotected web servers running Apache and IIS by means of a single occurrence.

HOIC (High Orbit in Cannon)

HOIC is written in BASIC and is an open source network stresser that can attack as many as 256 URLs at any one time.

Slowloris

Slowloris is written in Python and operates at the application layer. It opens as many connections to the web server as it can, and holds them open as long as possible by sending partial requests, and periodically adding them to keep the connection alive but never completing and denying connection attempts from legitimate users.

DDoS toolkits are software packages that require greater resources and generally more in-depth knowledge of scripting and systems and attacks the network layer. They infect computers and other Internet-connected devices (IoT) with malware in order to build a botnet.

The malicious bot landscape continues to evolve. Considering that more than 60 percent of the Internet traffic is generated by bots of which upwards of 30 percent is represented by malicious bots which present a force to be reckoned with when talking about internet security.

DDoS attacks can be unassuming or sophisticated, regardless, they are always ddos ransomdangerous, calculated and profit-driven with DDoS ransom being one of the nastiest elements.

Extortionists will demonstrate their capabilities by acting out an attack such as shutting down a website, followed by a threatening e-mail requesting a monetary sum usually in Bitcoin to be paid within a time-period. ‘Pay the ransom or face greater attacks.’

The extortionists will continue broadening their scope and diversifying their targets to include more diverse industry sectors and larger organizations and even larger payoffs.

Below find a few strategies which can make your network less vulnerable to attackers, remembering, there is No 100 Percent Solution to prevent cyberattacks. Continuous learning and continuous experimentation are critical.

  • Limit the number of new connections. Set parameters for the number of new connections during specific periods of time by a single user or by the network. Doing this simple strategy will make it that much harder for a criminal to overload systems.
  • Bandwidth Shaping. If configured correctly, bandwidth shaping can be an easy to apply policy against DDoS attackers.
  • Network Segmentation. By dividing your network into segments into public and internal sections, each protected by a firewall, this tactic can support your internal network when there is a DDoS attack against your public-facing systems.

CyberSecurity is a shared responsibility. Stop. Think. Connect.

Python for Fun.

python-logo

Python is one the easiest languages to learn, due to its simplicity, readability and straightforward syntax. Additionally, it is excellent for Rapid Application Development, (RAD). RAD is a software development methodology that uses minimal planning in favor of rapid prototyping. It also works well as a scripting language.The Python interpreter and the extensive standard library can be used with all major platforms without charge and is available in source or binary form.

Python is hands down my favorite programming language because of the high throughput since there is no compilation step. In addition, debugging Python programs is super easy neither a bug or bad input will not cause a segmentation fault. Rather, an exception is raised when the interpreter discovers an error.

Python was developed by Guido Van Rossum in 1991 and has seen a pronounced surge in popularity due in part to Google’s investment in the language over the past several years.

Python has associated web frameworks which make it more convenient to develop web based applications. Some robust sites (off the huge list) which are operating in Python include Quora, Drop Box,  and Google.

Python is useful in applications that run entirely in-browser.

  • Websites
  • E-Commerce Websites (Etsy, Amazon)
  • Social Media Websites (Reddit)
  • Educated Websites (Wikipedia, Dictionary.com)
  • Search Engines (Google)

Here is a simple but fun Python code for creating a Password Generator. Copy it, try it and enjoy learning.

1 import string

2 from random import

3 letters = string.ascii_letters

4 digits = string.digits

5 symbols = String.punctuation

6 chars = letters + digits + symbols

7 min length = 8

8 max length = 16

9 password = “.join(choice(chars) for x in range(randiet(min_length,max_length)))

10 print (password)

Cybersecurity is a shared responsibility. Stop. Think. Connect.

Not so fast. Is that Web App secure?

data-transit

I have been waiting for this call my entire life-The chance to host Uncle Murph’s birthday celebration. The best part was creating your own individualized version of his favorite cake from a recipe known only by my Aunt Kate and a few chosen family members.

With shopping list in hand, I was off to the market. Arriving back at home with the bounty of ingredients laid out before me measured and in order. However, something was awry, nothing but space where the most vital ingredient was supposed to be. Somehow, I overlooked it. Uncle Murph’s cake would not happen without a return trip to the market. Nevertheless, out of chaos comes opportunity because that day, the idea for a web app was formed.

My web application was not just your run of the mill shopping application, but a fail-safe meal (s) prep guide targeting anyone who returned from the market missing critical items. Applying Python with JavaScript for utility and function, a month of my time and 100+ lines of code later my Chef’s Fail-safe Prep App was complete. (Not so fast!)

A recommended security code review revealed that I would need at a minimum 500+ additional of lines of code to account for all the things that could and most likely would go wrong.

Wait, what? Stressed throughout my education in writing code was that the internet was built for ‘openness and speed,’ not for security. Security could always be added in at a later time. However, the development of my app imparted with me that writing good code is an enormous task. If not done correctly, a range of execution issues and errors can occur including two very well known web exploits; Cross-site request forgery (XSRF) and Cross-site scripting (XSS). Just what are these exploits?

  • XSRF attacks trick a user’s browser to send a forged HTTP request, including the user’s session cookie and the authentication information to a vulnerable web application. The XSRF allows an attacker to force the user’s browsers to generate requests allowing attackers to update account details, make purchases, logout, and login.” Wikipedia
  • XSS attacks occurs when malicious scripts are injected into trusted websites. The malicious script is passed to the end user’s browser. Once executed, the malicious scripts (JavaScript, VBScript, ActiveX, Flash, or HTML) can access any cookies, session tokens, or sensitive information retained by your browser and used with that site. XSS attacks allow for the attacker to gain a high level of control over the user’s system and communicate directly with the site that the user is connected.” Wikipedia

The fundamental difference between XSRF and XSS is inside the ‘victim’s browser.’ An XSRF goal is to exploit the trust that a website has in the visitor’s browser While the XSS is intended to exploit the trust the user has for a specific internet site.

For a deeper understanding of XSRF and XSS and other vulnerabilities can be found in the Open Web Application Security Project (OWASP) Top-10 list; which identifies the most critical application security risks. The top-10 is an industry best practice in preventing web app vulnerabilities and is utilized by many individuals and security organizations.OWASP

The amount of data managed by web apps is growing exponentially, driven by business demand. From online banking to your next Uber ride and everything in between. Web applications are entrusted to manage our most confidential and personal information securely; failing to grasp the nature of this trust can be hazardous. On balance, a single vulnerability can lead to data breaches; it can also result in the theft of Personally identifiable information (PII) which often proves the most costly and detrimental to organizations. Negative headlines, financial and reputational penalties, while legal and regulatory sanctions can quickly escalate into the millions of dollars.

Two worthy mentions of web app attacks include Yahoo! And  Ashley Madison.

Yahoo!-

  • Multiple data breaches in 2012, 2013, 2014
  • Estimated 1 Billion users affected.
  • Yahoo! Proprietary Source Code was appropriated.
  • PII compromised including:
    • Names
    • Telephone Numbers
    • Dates of Birth
    • Encrypted Passwords
    • Unencrypted security questions

Ashely Madison-

  • 11+ million passwords appropriated.
  • 30+ million private accounts compromised.
  • Identities exposed and targeted directly.
  • Organizations associated with Ashley Madison may face both financial and reputational damages.

In Verizon’s 2016 Data Breach Investigations Report (DBIR), the report identified, web application attacks accounted for a total of 5,334 total incidents, while 908 were responsible for confirmed data disclosure. Moreover, “95 percent of the confirmed web app breaches were financially motivated.”

verizon-dbir-graph

Source: Verizon

When it comes to web app security, complacency is not an option. Unfortunately, Secure coding is often a postscript. Until of course, a security breach is exposed, and then it is too late.  Developers need to incorporate best practices into their development. Moreover, it is not satisfactory to find a few vulnerabilities during testing; you need to uncover them all. The risks are inestimable.

Below, find my ultimate shopping list helper written in Python Try it. Have fun! Learn!

shopping_list = []

def remove_item(idx):
index = idx -1
item = shopping_list.pop(index)
print(“Remove {}.”.format(item))

def show_help():
print(“\nSeperate each item with a comma.”)
print(“Type DONE to quit, SHOW to see the current list, and HELP to get this message.”)

def show_list():
count = 1
for item in shopping_list:
print(“{}: {}.”.format(count, item))
count += 1

print(“Give me a list of things to shop for.”)
show_help()

while True:
new_stuff = input(“> “)

if new_stuff == “DONE”:
print(“\nHere is your list:”)
show_list()
break
elif new_stuff == “HELP”:
show_help()
continue
elif new_stuff == “SHOW”:
show_list()
continue
elif new_stuff == “REMOVE”:
show_list()
idx = input(“Which item? Tell me the number. “)
remove_item(int(idx))
continue
else:
new_list = new_stuff.split(“,”)
index = input(“Add this at a certian spot? Press enter for the end of the list. ”
” or give me a number. Currently {} items in the list.”.format(
len(shopping_list)))
if index:
spot = int(index) -1
for item in new_list:
shopping_list.insert(spot, item.strip())
else:
for item in new_list:
shopping_list.append(item.strip())
Cybersecurity is a shared responsibility. Stop. Think. Connect.