Security

There are 13 entries in this Category.

Holiday postal receipt virus

I have attached a link to the questionable file on the bottom of this post. Be careful.

Neither ClamAV nor Avast detected a virus. (phxf-virus-1)

My wife found this in her inbox. I used to develop spam signatures at my previous job so as a habit I asked her the things that tipped her off that something wasn’t kosher. She came up with a list of indicators:

  • There was a mismatch between the date listed and the day of the week. For example it was dated Monday, 2 December 2012, 11:23 AM which was a Sunday
  • The email came from ‘Priority Shipping Service ‘ which did not seem to be associated with Fedex
  • Fedex always leaves a door slip when you miss a delivery
  • The language in the email did not seem to come form a native English speaker
  • We also were not expecting any packages
  • The email greeted “Dear customer” instead of her name

Here is a screenshot of the email with link to the payload:

WARNING The FILE BELOW MAY DAMAGE YOUR COMPUTER

(view the source of this page for a link to the file)

WARNING The FILE ABOVE MAY DAMAGE YOUR COMPUTER

Posted on December 6, 2012 at 10:24 am Leave a Comment

This post is filed under Security.

how to drain an iPhone battery without needing passcode

  1. Press home button [ ]
  2. Slide camera button up
  3. Slide mode to video
  4. Turn on flash
  5. Put iPhone on table with light pointed down
  6. Walk away inconspicuously
Extra points if you set the camera to record (just don’t record yourself or sounds) which will fill up the iPhone capacity.

Posted on November 3, 2012 at 7:27 pm Leave a Comment

This post is filed under Guide, Security.

nosslsearch cname is a bad idea and solution


Google SafeSearch and SSL Search for Schools suggests implementing the following changes to the network:
To utilize the no SSL option for your network, configure the DNS entry for www.google.com to be a CNAME for nosslsearch.google.com.

Here are the reasons why this is a bad idea and solution:
  • In order to create a CNAME record for www.google.com we need to become an authoritative master of that zone.
  • If you become an authoritative master you need to host all of Google’s DNS resource records for the domain.
  • Google is asking us to DNS poison it’s flag ship product on our networks.
  • If other companies follow suit the internet will quickly become unmanageable. DNS was not ment to work this way.
  • Not all networks have a local DNS server

This is a bad idea. Please change your stance on this matter.

Reference: http://support.google.com/websearch/bin/answer.py?hl=en&answer=186669

Posted on March 26, 2012 at 11:51 am Leave a Comment

This post is filed under Opinion, Security.

How to capture HTTPS SSL TLS packets with wireshark

This article will explain how to use wireshark to capture TCP/IP packets. Specifically I will show how to capture encrypted (HTTPS) packets and attempt to document the “dance” a client and server do to build an SSL tunnel.

What is Wireshark?

Wireshark is a network protocol analyzer for Windows, OSX, and Linux. It lets you capture and interactively browse the traffic running on a computer network. Similar software includes tcpdump on Linux.

Install Wireshark

First step, acquire Wireshark for your operating system.

Ubuntu Linux: sudo apt-get install wireshark

Windows or Mac OSX: search for wireshark and download the binary.

How to capture packets

This is Wireshark’s main menu:

To start a capture, click the following icon:

A new dialog box should have appeared. Click start on your preferred interface:

You are now capturing packets. The packet information is displayed in the table below the main menu:

Now browse to an HTTPS website with your browser. I went to https://linkpeek.com and after the page completely loaded, I stopped the Wireshark capture:

Depending on your network, you could have just captured MANY packets. To limit our view to only interesting packets you may apply a filter. Filter the captured packets by ssl and hit Apply:

Now we should be only looking at SSL packets.

Next we will analyze the SSL packets and answer a few questions

1. For each of the first 8 Ethernet frames, specify the source of the frame (client or server), determine the number of SSL records that are included in the frame, and list the SSL record types that are included in the frame. Draw a timing diagram between client and server, with one arrow for each SSL record.

Frame 1 client | 1 record | Arrival Time: Feb 15, 2012 15:38:55.601588000
Frame 2 server | 1 record | Arrival Time: Feb 15, 2012 15:38:55.688170000
Frame 3 server | 2 record | Arrival Time: Feb 15, 2012 15:38:55.688628000
Frame 4 client | 3 record | Arrival Time: Feb 15, 2012 15:38:55.697705000
frame 5 server | 2 record | Arrival Time: Feb 15, 2012 15:38:55.713139000
frame 6 client | 1 record | Arrival Time: Feb 15, 2012 15:38:55.713347000
frame 7 server | 0 record | Arrival Time: Feb 15, 2012 15:38:55.713753000
frame 8 server | 1 record | Arrival Time: Feb 15, 2012 15:38:55.715003000

2. Each of the SSL records begins with the same three fields (with possibly different values). One of these fields is “content type” and has length of one byte. List all three fields and their lengths.

Each hexadecimal digit (also called a “nibble”) represents four binary digits (bits) so each pair of hexadecimal digits equals 1 byte.
a. Destination mac address | 6 btyes | 00 21 9b 31 99 51
b. Source mac address | 6 bytes | 00 10 db ff 20
c. Type: IP | 2 byte | 08 00

ClientHello Records

3.Expand the ClientHello record. (If your trace contains multiple ClientHello records, expand the frame that contains the first one.) What is the value of the content type?

hex: 16 (16+6=22) Handshake

4. Does the ClientHello record advertise the cipher suites it supports? If so, in the first listed suite, what are the public-key algorithm, the symmetric-key algorithm, and the hash algorithm?

MD5, SHA, RSA, DSS, DES, AES

ServertHello Records

5. Look to the ServerHello packet. What cipher suite does it choose?

Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

6. Does this record include a nonce? If so, how long is it? What is the purpose of the client and server nonces in SSL?

Yes, 28 bytes. The ClientHello packet also generated a nonces. They are used to make the session communication between the two nodes unique. It seeds the communication to prevent replay attacks. A replay attack is using data from old communications to “crack” a current communication.

7.Does this record include a session ID? What is the purpose of the session ID?

Yes, This is to make things efficient, in case the client has any plans of closing the current connection and reconnect in the near future.

8.How many frames does the SSL certificate take to send?

In this case it took 4 frames

Posted on February 29, 2012 at 7:14 pm 5 Comments

This post is filed under Guide, Security.

Block cipher lab

This entry is part 7 of 7 in the series Computer Network Security

Consider the following block cipher. Suppose that each block cipher T simply reverses the order of the eight input bits (so that, for example 11110000 becomes 00001111).

Further suppose that the 64-bit scrambler does not modify any bits. With n = 3 iterations and the original 64-bit input equal to 10100000 repeated eight times, what is the value of the output?

Now change the last bit of the original 64-bit input from 0 to a 1. Now suppose that the 64-bit scrambler inverses the order of the 64 bits.

Solution in python: 
def chunks( l, n ):
    """accept a list and chuck size, return chunks"""
    return [ l[ i:i+n ] for i in range( 0, len(l), n ) ]

def T( blocks ):
    """for each block, reverse block, return blocks"""
    result = []
    for block in blocks:
        result.append( ''.join( [bit for bit in reversed( block )] ) )

    return result

def scrambler( input ):
    """inverse the order of input"""
    return ''.join( [i for i in reversed( input ) ] )

def cipher1( input, n = 3, chunk_length = 8 ):
    """make chucks out of input, reverse each chunk return result"""
    blocks = chunks( input, chunk_length )
    for i in range( 0, n ): blocks = T( blocks )
    return ''.join( blocks )

def cipher2( input, n = 3, chunk_length = 8 ):
    """same as cipher1 but with scrambler"""
    blocks = chunks( input, chunk_length )
    for i in range( 0, n ):
        blocks = T( blocks )
        blocks = chunks( scrambler( ''.join( blocks ) ), chunk_length )
    return ''.join( blocks )

if __name__ == "__main__":

    input = "1010000010100000101000001010000010100000101000001010000010100000"
    print cipher1( input )
    # output: 0000010100000101000001010000010100000101000001010000010100000101

    input = "1010000010100000101000001010000010100000101000001010000010100001"
    print cipher1( input )
    # output: 0000010100000101000001010000010100000101000001010000010110000101

    input = "1010000010100000101000001010000010100000101000001010000010100000"
    print cipher2( input )
    # output: 1010000010100000101000001010000010100000101000001010000010100000

    input = "1010000010100000101000001010000010100000101000001010000010100001"
    print cipher2( input )
    # output: 1010000110100000101000001010000010100000101000001010000010100000

Posted on February 14, 2012 at 1:36 am Leave a Comment

This post is filed under Code, Security.

Monoalphabetic Cipher and Inverse Written in Python

This entry is part 6 of 7 in the series Computer Network Security

Here is my implementation of a Monoalphabetic Cipher written with a python dictionary: 
monoalpha = {
    'a': 'm',
    'b': 'n',
    'c': 'b',
    'd': 'v',
    'e': 'c',
    'f': 'x',
    'g': 'z',
    'h': 'a',
    'i': 's',
    'j': 'd',
    'k': 'f',
    'l': 'g',
    'm': 'h',
    'n': 'j',
    'o': 'k',
    'p': 'l',
    'q': 'p',
    'r': 'o',
    's': 'i',
    't': 'u',
    'u': 'y',
    'v': 't',
    'w': 'r',
    'x': 'e',
    'y': 'w',
    'z': 'q',
    ' ': ' ',
}

inverse_monoalpha = {}
for key, value in monoalpha.iteritems():
    inverse_monoalpha[value] = key

message = "This is an easy problem"
encrypted_message = []
for letter in message:
    encrypted_message.append( monoalpha[letter.lower()] )

print ''.join( encrypted_message )
The encrypted output: uasi si mj cmiw lokngch

Now we may use the inverse cipher to decrypt a message, “rmij’u uamu xyj” 

encrypted_message = "rmij'u uamu xyj"
decrypted_message = []
for letter in encrypted_message:
    try:
        decrypted_message.append( inverse_monoalpha[letter] )
    except KeyError:
        decrypted_message.append( letter )

print ''.join( decrypted_message )
Decrypted message: wasn't that fun

Posted on February 13, 2012 at 10:39 pm Leave a Comment

This post is filed under Code, Security.

Why does a Hash provide better message integrity then an Internet checksum?

This entry is part 5 of 7 in the series Computer Network Security
Why does a Hash provide better message integrity then an Internet checksum?

A hash aims to produce a unique “key” without collisions. A hash also attempts to be computationally difficult to reverse.

An Internet checksum is designed to detect common errors quickly and efficiently. An Internet checksum does not attempt to prevent collisions.

A Hash provides better message integrity because it has less collisions then an Internet checksum. A collision means there is more then one way to produce the same sum.

Let H() be a hash function. Let x and y be two differing messages. H(x) = H(y) would be a collision.

When discussing Hash Cryptography I like to show examples using python.

In this example I will produce a MD5 hash fingerprint of a message: 

import hashlib as h
message = "This message will be placed into an MD5 hash function to authenticate its integrity."
print h.md5(message).hexdigest()
Hash Output:
18f189f94b245ad8566206c199b4f60a

Now If I passed that message to you along with its MD5 hash hex representation, you could put the message into your own MD5 hash function and compare the resulting hash. This method is used to insure message or data integrity.

Can you “decrypt” a hash of a message to get the original message?

By design a good hash algorithm will prevent you from decrypting a hash to get the original message. However a rainbow table could be used to quickly find matches. In this case a more robust solution would be to use salt or shared secret.

What is salt or a shared secret?

You can use salt or a shared secret to add extra data to a message before hashing with a publicly known algorithm. Below I will document how to properly add salt to a message before generating a SHA256 hash.

import hashlib as h
message = "This message and some salt will be hashed with SHA 256."
salt = "This is some secret salt data"
print h.sha256(message+salt).hexdigest()
Hash Output:
5e8d86bab9604620f19cfbc5f836f47feb9e8c9e74264fff1f4938bdaab1eeaa

Adding a salt to the message allows us to use a publicly know algorithm in a more protected manner. This method helps protect against rainbow table cracking.

Can you spot the error in the python code below? 
import hashlib as h
message = "This message and some salt will be hashed with SHA 256."
salt = "This is some secret salt data"
print h.sha256(message).hexdigest()+salt

If you guessed that the message and salt BOTH need to be hashed together then you are correct!

The above code would have produced the following invalid hash:

Hash Output:
79cd4bfa1bcb71a7a1b5bfd5e8cfc8368a6cc6cb836d24bf04f2ef2bd0e81261This is some secret salt data

You should follow me on twitter here.

Posted on February 13, 2012 at 7:19 pm 1 Comment

This post is filed under Code, Security.

Symmetric Encryption vs Public Key Encryption

This entry is part 4 of 7 in the series Computer Network Security
How many keys are involved for symmetric key encryption? How about public key encryption?

Suppose you have N people who want to communicate with each other using symmetric keys. All communication between any two people, i and j, is visible to group N. Only person i and person j can decrypt each others messages.

How many keys would Symmetric Encryption require to protect group N?

I solved this with the following python function: 

def count_symmetric_keys( N=2 ):
    """Provide the number of entities in group N.
    return the number of symmetric keys needed for this group"""
    keys = 0
    for i in range( 0, N ): keys += i
    return keys

If group N had 10 members, it would need to generate and maintain 45 Symmetric Keys.

If group N had 50 members, it would need to generate and maintain 1125 Symmetric Keys.

Symmetric keys are also susceptible to man-in-the-middle attacks. This attack occurs when an entity poses as a trusted entity. Let i and j be trusted entities. Let k be an un-trusted attacker. If k determined the Symmetric key it could send or recieve messages posing as i or j.

How many keys would Public-key Encryption require to protect group N?

Public Key Encryption requires 2n keys or two keys per person in group N. Public key encryption also does not require ‘pre sharing’ the secret key before communication may start. Each member would need 1 public key and 1 private key.

If group N had 10 members, it would need to generate and maintain 20 Public/Private Keys.

If group N had 50 members, it would need to generate and maintain 100 Public/Private Keys.

Posted on February 13, 2012 at 5:25 pm 1 Comment

This post is filed under Security.

Attributes of an 8-block cipher

This entry is part 3 of 7 in the series Computer Network Security
Consider an 8-block cipher and answer the following:

How many possible input blocks does this cipher have? How many possible mappings are there? If we view each mapping as a key, then how many possible keys does this cipher have?

To find the input blocks of this cipher we raise 2 to the 8th power. 2^8 = 256 possible inputs.

To find the number of possible mappings we take the 256 input blocks and find it’s factorial. There are 256! possible mappings.

We can view each of these mappings as a key, so this cipher has 256! keys.

Posted on February 13, 2012 at 12:50 am Leave a Comment

This post is filed under Security.

Reasons why some Internet entities might want secure communication

This entry is part 2 of 7 in the series Computer Network Security

Internet entities often need to communicate securely.

Here are some reasons why some Internet entities might want secure communication:
  1. Web Servers: Communication on the Internet, or any network for that matter, should be encrypted before transmitting sensitive data. This will help prevent snooping from unauthorized parties. Most often SSL or HTTPS may be used to create a secure communication “tunnel” between a web server and a web client (browser).
  2. Server Administration:
    3. A secure protocal should always be used when administrating a server or remote computer. Typically SSH (Secure Shell) is used.
  3. DNS Servers: Using DNSSEC could help prevent DNS poisoning and certifies DNS data. DNS was first conceived as a distributed and highly scalable address lookup system. Security was not its top priority. Since then we have new DNSSEC extensions which allow for origin authentication of DNS data, authenticated denial of existence, and data integrity. DNSSEC does not attempt to solve availability and confidentiality.

Posted on February 8, 2012 at 6:23 pm Leave a Comment

This post is filed under Security.

More »