Sunday, September 27, 2015

Are physical cables attacks practical?

Is it practical to carry out an attack that requires physical access to a cable?

It is extremely practical, depending on the value of the target or ease of access. Practicality is based on cost versus reward, just like risk is based on value vs likelihood. CISSP resources discuss qualitative assessments for computing risk where a damage ranking is low, medium, or high. (Gregg, 2005) Using a response based on those rankings, a data integrity or confidentiality attack would represent a high reward for an attacker. Since the yield value is high, a high cost can be invested in it. According to Mandiant, remote attackers persist in an infected network for over two hundred days before detection. (Mandiant, 2014) The physical cable attack by the United States under the Sea of Okhotsk lasted for most of the 1970s until its existence was exposed to the Soviets by a defector. (Drew & Drew, 2008) Ronald Pelton was the spy that turned over that tap to the Soviets, which was collected in 1981. (Warner, 2012) What is a mere 200 days of information if an attacker can suck up data for a decade?

Who might exploit a physical access attack?

  • Random individual (in the accidental case)

  • Disgruntled insider (or former employee)

  • Financially-motivated criminals

  • (Maybe) ideologically-motivated actors ("terrorists")

  • (Or even) state-sponsored professionals ("spies") (Sauver, 2011, p5)

On the side of spies, the United States carried out another instance of this sort of attack against East Germany with the CIA in Operation REGAL. (NSA, 1988) A tunnel was dug to grant access to telecommunications lines and a physical layer tap was applied. In pop culture, ideologically motivated attackers demonstrated the value of a physical attack when a hacker social engineered his way into a secure storage facility and spliced a Raspberry Pi system into the network, which used a wireless card to provide a remote access backdoor. (Giles, 2015)

On the denial of service side, the ease of the attack once access is available means that it can be combined with other attacks. In 1969 the ritualistic murder of Sharon Tate by the Charles Manson family was accompanied by cutting the phone line. (Gardella, 1969) It is both effective and cheap, which has led to it being a staple in pop culture across many mediums. (TVTropes, n.d.)

When considering that cleaning jobs and private building security jobs are fairly low paid, getting hired or paying off an existing worker would not be much of a stretch for a motivated attacker. (PayScale, 2015) If the attacker is a disgruntled insider then they already have convenient access to cabling and time to plan and carry out the act, so pretty much all of the 'practicality' of the attack is already free.


Drew, C., Sontag, S., & Drew, A. L. (2008). Blind Man's Bluff: The Untold Story of American Submarine Espionage. PublicAffairs.

Gardella, K. (1969, August 10). Actress and 4 slain in ritual. Sunday News. Retrieved September 27, 2015 http://www.nydailynews.com/news/crime/sharon-tate-found-killed-1969-article-1.2314136

Giles, M. (2015). Mr. Robot Recap: Casualties in Every Revolution. Vulture. Retrieved September 27, 2015 from http://www.vulture.com/2015/07/mr-robot-recap-season-1-episode-4.html

Gregg, M. (2005, October 28). Risk Assessment. Pearson. Retrieved September 27, 2015 from http://www.pearsonitcertification.com/articles/article.aspx?p=418007&seqNum=4

Mandiant. (2014). Beyond the Breach. M Trends. Retrieved September 27, 2015 from https://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf

NSA. (1988). Operation REGAL: The Berlin Tunnel. National Security Agency. Retrieved September 27, 2015 from https://cryptome.org/2012/04/nsa-operation-regal.pdf

PayScale. (2015). Maid or Housekeeping Cleaner Salary. Retrieved September 27, 2015 from http://www.payscale.com/research/US/Job=Maid_or_Housekeeping_Cleaner/Hourly_Rate

Sauver, J. (2011). Physical Security of Advanced Network and Systems Infrastructure. Internet2. Retrieved September 27, 2015 from http://pages.uoregon.edu/joe/phys-sec-i2mm/phys-sec-i2mm.pdf

TVTropes. (n.d.) Cut Phone Lines. Retrieved September 27, 2015 from http://tvtropes.org/pmwiki/pmwiki.php/Main/CutPhoneLines

Warner, M. (2012). Cybersecurity: a pre-history. Intelligence and National Security, 27(5), 781-799.

Thursday, September 24, 2015

SNMP Enumeration

Discuss/describe the port scanning and/or enumeration techniques (attacks) not covered in Module 2.

How can the attacks you have described be detected and prevented?

Enhance and elaborate on the port scanning and/or enumeration techniques (attacks) covered in Module 2.

Share any additional thoughts you may have on them and explain how they can be detected and/or prevented.

A legacy protocol for performing network management, dating back to RFC 1067 from 1988, is Simple Network Management Protocol. (Case, Fedor, Schoffstall, Davin, 1988) Because the goals of this protocol was to be low in cost to develop the management software, be remotely accessible, impose few restrictions on the form of management tools, and be simply understood by developers, SNMP does succeed in being simple. (Case, Fedor, Schoffstall, Davin, 1990) This caused SNMP to become highly utilized for its ease of use for network management of "routers, switches, hubs, prints, workstations, and servers." (Jiang, 2002, p2)

SNMP network agents receive communication and commands from the management tool over UDP 161, and answer asynchronous traps on UDP 162.(Jiang, 2002) Thus, these devices can be detected through Module 2 scanning for UDP; Agents on port 161 and management devices on port 162. Once the device is located, vulnerabilities in the protocol and device implementation can be leveraged to perform the next layer of enumeration and potential attacks. As SNMP is layered on UDP, agents and management systems have to accept requests or traps without the protection of previously established or authenticated sessions.(Jiang, 2002) There is a single shared secret, the SNMP community name, which identifies both that the request is valid and what the access mode of it is, read-only or read-write. (Case et al., 1990) Unfortunately, a significant number of devices default to having "public" as a read-only community and "private" as a read-write community, which opens these devices up for remote management by any scanner.(Jiang, 2002)

SNMP Enumeration

Once a listening UDP 161 port is discovered on a network and the public community is in use, then attackers are able to extract information about network resources and network configuration information. (EC-Council, 2011) Potential types of resources that can be enumerated are devices, hosts, shares, and servers.(EC-Council, 2011) Network configuration information such as tables like ARP and routing information, statistics about traffic, or specialized device information.(EC-Council, 2011) Since some devices respond to broadcast packets this enumeration can even occur without the UDP discovery as an attacker can just send out a public request on the network broadcast address and have the vulnerable devices answer back. (Jiang, 2002)

SNMP Protection Solutions

Jiang recommends using firewalls and routers to block UDP 161 and 162 traffic, inbound and outbound, to prevent SNMP enumeration or exploitation from outside of the network. (2002) Doing so will complicate legitimate remote use, but that can be mitigated by VPNing into the network first and then performing your management through the tunnel.

Network administrators should use tools such as the SANS developed SNMPing to discover the SNMP machines that they didn't know were on their network. (Jiang, 2002) Other useful tools include OpUtils, SNScan from McAfee, and Spiceworks. (EC-Council, 2011) Nobody wants to have their network pwnd because the new printer they bought lets a hacker in via the public and private communities.


Case, J., Fedor, M., Schoffstall, M., Davin, J. (1988, August). A Simple Network Management Protocol. Network Working Group. Retrieved from https://www.ietf.org/rfc/rfc1067.txt

Case, J., Fedor, M., Schoffstall, M., Davin, J. (1990, August). A Simple Network Management Protocol (SNMP). Network Working Group. Retrieved from https://www.ietf.org/rfc/rfc1157.txt

EC-Council. (2011). Ethical Hacking and Countermeasures v8.

Jiang, G. (2002). Multiple vulnerabilities in SNMP. Computer, 35(4), 2-4.

Layer 1 network attacks

Discuss/describe one or more LAN based attacks (also known as layer 2 attacks or lower layer attacks) which are not covered in the Module 3, or share any additional thoughts you may have on LAN based attacks covered in Module 3.

Discuss the security measures or methods used to prevent or mitigate the LAN based attacks you presented in Question A.

Layer 1 of the OSI network model is the physical layer. (Ruh, 2009) All three legs of the security triad can be attacked at layer 1: confidentiality, integrity, and availability.

  • Confidentiality: Ethernet - The first Wi-Fi encryption was called Wired Equivalent Privacy, which is fairly appropriate since WEP is almost trivially broken. (Wójtowicz & Belka, 2014) Wired Ethernet is entirely unprotected at Layer 1 and traffic can be recorded if an attacker can get a hook into the wires. Today an attacker doesn't need to be able to strip and splice your network cables if they have the access to replace the cable that they want to attack with two cables. For just $10 and the cost of two lengths of CAT5 cabling the attacker can place a commercially available Throwing Star LAN Tap. (HakShop, 2015) That small device, sold for penetration testers, copies all traffic crossing it onto two listening ports.
  • Integrity: Wi-Fi - To provide the best user experience with the least configuration, Wi-Fi establishes a connection to an SSID network by connecting to the strongest signal it can find for an access point advertising that SSID. If a stronger connection becomes available then a client system will switch to communicating with that access point. In legitimate networks this occurs for load balancing and supporting mobile clients, but it can also happen if a rogue access point begins advertising the victim network. Once the rogue access point is the client's route to the network then all traffic crossing it is available for manipulation. For $100 an enterprising attacker can buy a preconfigured miniature computer that will automatically listen for SSIDs in use and able to be hijacked and start advertising them. It can then be used to launch various attacks on the traffic such as man in the middle attacking secure connections or returning maliciously manipulated DNS answers. This product is the Wi-Fi Pineapple. (HAK5 2015)
  • Availability:
    • Ethernet - Given only physical access to an Ethernet network, an attacker is able to trivially launch a destructive denial of service attack. Ethernet networks require electrical pulses to be sent along metal wires inside of the cable, so severing the cable with something like a pair of Diagonal Pliers will terminate the connection. It is as simple as placing the cable inside the pliers and squeezing, though it is recommended that the attacker "place the wire to be cut as near as possible to the joint. This increases the leverage and considerably reduces the manual effort when cutting.".(KNIPEX-Werk, 2014) These kind of attacks were lauched on backbone fiber in California earlier this year. (Kravets, 2015)
    • Wi-Fi - Since Wi-Fi is carried on radio signals it is vulnerable to jamming by "by emitting radio frequency waves that prevent the targeted device from establishing or maintaining a connection" (Pittman, 2011, p.2) In the United States this is illegal and falls under the jurisdiction of the FCC, but attackers rarely avoid attacks based on the legality of the technique.

Security measures that protect against these attacks

Ethernet: Since Ethernet attacks relay on access to the Layer 1 medium, the cables, this means the best defense is to prevent such access. Keeping infrastructure nodes such as switches and routers in locked, access controlled spaces stops tools like the Throwing Star from being deployed to critical lines without having to modify cables. Actual backbone cables, such as connections from the network to the Internet, should be entirely protected by secured cable runs, being buried, or inside walls. Cable integrity should be checked periodically to mitigate any attacks that had been launched successfully.

Wi-Fi: Being wireless and transmitted over radio waves, the distances involved end up being a combination of transmitter strength, antenna quality, weather, other traffic on and near the frequency, and objects in the way. With so many variables involved, the best courses of defense is a combination of monitoring for rogue access points and keeping your wireless network inside of your facility, while keeping foreign signals out.

  • Electromagnetic signals can be stopped through global shielding, where the entire facility is protected in the perimeter walls, floor, and ceiling. (Herndon, 1990) Wireless networks inside the shielding will be unable to be sniffed from outside, and rogue access points will not be able to be connected to from inside.
  • Wardriving, traveling around scanning for wireless networks, can be used to periodically check for rogue access points broadcasting your SSID. (Etter, 2002) Additionally wireless intrusion prevention systems can be deployed to automate such monitoring. (Zhang et. al., 2010)


Etter, A. (2002). A Guide to Wardriving and detecting wardrivers. SANS Institute, Retrieved 23 September 2015 from https://www.sans.org/reading-room/whitepapers/wireless/guide-wardriving-detecting-wardrivers-174

HAK5. (2015) WiFi Pineapple. Retrieved 23 September 2015 from https://www.wifipineapple.com

HakShop. (2015). THROWING STAR LAN TAP. Retrieved 23 September 2015 from https://hakshop.myshopify.com/products/throwing-star-lan-tap

Herndon, R. L. (1990, December 31). ELECTROMAGNETIC PULSE (EMP) AND TEMPEST PROTECTION FOR FACILITIES. U.S. Army Corps of Engineers

Kravets, D. (2015, Jul 1) California fiber optic cable vandalism continues unabated. Ars Technica. Retrieved 23 September 2015 from http://arstechnica.com/tech-policy/2015/07/california-fiber-optic-cable-vandalism-continues-unabated/

KNIPEX-Werk. (2014). The Diagonal Cutters. Retrieved 23 September 2015 from http://www.knipex.com/en/pliers-abc/some-know-how-about-pliers/the-diagonal-cutters/

Pittman, K. (2011) GPS, Wi-Fi, and Cell Phone Jammers. FCC, Retrieved 23 September 2015 from https://transition.fcc.gov/eb/jammerenforcement/jamfaq.pdf

Ruh, Larry (2009). Open Systems Interconnection Reference Model Retrieved 27 January 2012 from: http://polaris.umuc.edu/de/csi/OSI_model_2009/OSI_Model_2009.html

Wójtowicz, S., & Belka, R. (2014, November). Analysis of selected methods for the recovery of encrypted WEP key. In Symposium on Photonics Applications in Astronomy, Communications, Industry and High-Energy Physics Experiments (pp. 92902Z-92902Z). International Society for Optics and Photonics.

Zhang, Y., Chen, G., Weng, W., & Wang, Z. (2010, June). An overview of wireless intrusion prevention systems. In Communication Systems, Networks and Applications (ICCSNA), 2010 Second International Conference on (Vol. 1, pp. 147-150). IEEE.

Sunday, September 13, 2015

Advanced Traceroute: Firewalk

The module for class this week describes using IP packet time to live, TTL, values to map out a route across the network that you are sending data to reach your destination. Modern operating systems come default with tools do perform this sort of diagnostic, with Windows utilizing ICMP Echo Request packets while UNIX and Linux using high port UDP. (UMUC, 2012)

Sending a packet with a TTL of one to have the first hop in the route respond with an ICMP error of type 11, Time Exceeded, and code 0, time to live exceeded in transit. (Postel, 1981) Next, send successively higher TTL values until the destination responds. By recording the sender information from the ICMP error messages, you make a list of nodes where the sender for TTL N is N hops away. As long as network gateways allow in your tracer packets and allow out the ICMP errors, that is.

Firewall devices may drop tracer packets because they only allow specific traffic services through. An advanced traceroute technique accounts for this and uses the firewall distance plus one TTL to map the allowed services on that firewall, a technique known as firewalking. (Irby, 2000) It works because the traceroute operates at the IP level and therefore leaves the encapsulated protocol up for spoofing. TCP, UDP, ICMP or any transport layer protocol can be tested. If a Windows traceroute times out at a hop but a UDP port 53, DNS, gets responded to then that device is dropping ICMP Echo Requests but allows DNS traffic. (Irby, 2000)


Irby, D. (2000). Firewalk: Can Attackers See Through Your Firewall. SANS

Postel, J. (1981). RFC 792: Internet control message protocol. InterNet Network Working Group.

UMUC. (2012) Advanced TCP/IP, CSEC-640 – Module 1. Retrieved from: https://leoprdws.umuc.edu/CSEC640/1206/csec640_01/assets/csec640_01.pdf

Thursday, September 10, 2015

TCP Discussion

A vital aspect of TCP which is conveniently abstracted away from normal use is the TCP window size. Because endpoints of various levels of speed, capability, and memory operate across networks, reliability can only be achieved efficiently if endpoints have “a means for the receiver to govern the amount of data sent by the sender”, as is described in RFC 793 (Postel, 2003). Windows are the size of buffers maintained by network TCP stacks and fill with incoming data and empty as that data is consumed by the networking application.

TCP Flow control lessons learned from programming network tools:
If you are watching a TCP session, such as in Wireshark, and the TCP window suddenly starts shrinking then it means that the endpoint has stopped calling recv. This is a likely sign that the receiving application is blocking on the thread processing inbound data, and probably blocking inappropriately. Check for waits or even premature thread termination. This problem will occur also if the inbound data thread has exited without triggering a closure of the socket.

Man, I hate it when comedians tell jokes about TCP. They just keep repeating it until you laugh! This is because, as a protocol, TCP guarantees reliability through Positive Acknowledgement with Retransmission. (Vacca, 2009, pg 298) Data packets are retransmitted until they are acknowledged.



Postel, J. (2003). RFC 793: Transmission control protocol, September 1981.Status: Standard, 88.

UMUC. (2012) Advanced TCP/IP, CSEC-640 – Module 1. Retrieved from: https://leoprdws.umuc.edu/CSEC640/1206/csec640_01/assets/csec640_01.pdf

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufman

Friday, August 21, 2015

Why bug bounties?

"Rule #1 of bug bounties: No matter how much money you're offering, assume that someone evil found the bug first and didn't report it" - Colin Percival of tarsnap

This! This is why locating and fixing possibly exploitable bugs is so important and why bug bounties help.

If a black hat finds an exploit then they will make money. So there is a direct monetary reward for black hats finding vulnerabilities. Bugs = $.

If a developer ships software then they will make money. There is no money in creating perfect vaporware, only in completed software.
Shipped software = $.
Shipped software has bugs. Therefore your developers will be just as likely to innocently introduce bugs as prevent exploits. Not a good line of defense.

A fixed set of QA engineers will only ever find the bugs that they find. And they are on salary.
Time = $.
They will not find the bugs that are outside of the processes and skills of that fixed team.

So at this point, only one of our three groups have a direct financial reward for finding exploitable bugs in shipped software... and they won't be telling you about it. They have had a reason to be pounding on your software to the very best of their abilities and a reason to succeed. Their livelihood is dependent on being the first to that bug. So they probably were. How many 0 days were exposed by Stuxnet? Hacking Team?

Those that benefit most could have spent the most resources on finding the bugs. So you have to assume that they already did.

Wednesday, July 29, 2015

Tips and tricks: Debugging on Android

I searched all over for this information and want to save it for the future.

Situation: Code running on an android emulator, hosted on a Windows 8 box. GDB is available in an Ubuntu emulator running in VMware on the same Windows 8 box.

Goal: To connect the GDB in Ubuntu to a gdbserver on the android device.

1. Forward 127.0.0.1:PORT to the android device (here PORT is 5039)...      adb forward tcp:5039 tcp:5039
2. Open a shell to the android device... adb shell
3. Begin debugging the process on the device [gdbserver :PORT --attach PID]... gdbserver :5039 --attach 1574
4. adb forward Only forwarded 127.0.0.1, which the VM can't get to. Use netsh to forward the public IP to the localhost port...  netsh interface portproxy add v4tov4 listenport=5039 listenaddress=192.168.1.2 connectport=5039 connectaddress=127.0.0.1
5. In Ubuntu, open gdb and connect to the server... target remote 192.168.1.2:5039
Bam! The Windows box forwards the connection from the VM to the device and gdb meets gdbserver.

This isn't enough, as my gdb is rejecting the connection with "warning: Architecture rejected target-supplied description", but it is a big step forward. For the next step you need an appropriately built gdb which matches the ABI (application binary interface) of the targeted device.

Acquiring an ARM-Linux tool chain for targetting Android:
Download and run the android-ndk from https://developer.android.com/tools/sdk/ndk/index.html

Once the files are present, use the instructions at https://github.com/mapbox/mapbox-gl-native/wiki/Android-debugging-with-remote-GDB to open the correct gdb

Sunday, May 24, 2015

Letter to Congress: TPA 'Fast Track'

Here is a letter that I have drafted to send to my Congressional Representative concerning the currently debated Trade Promotion Authority. Please copy it and send it to your Congressional Representative.

Find your rep: http://house.gov/representatives/

Read the Constitution Article 2 section 2

--------------
<REPRESENTATIVE>,

I strongly urge you to do everything in your power to prevent the passage of the Senate's trade promotion authority bill.

As advertised, the bill is a clear violation of Article II, section II of the Constitution. Without both the ability to approve AND comment, then the Senate is unable to perform their Constitutional duties with regard to treaties.

Again, as a resident of the <DISTRICT> Congressional District of <STATE>, I encourage you to fully oppose this de facto Amendment by legislation. It is not within the power of the Congress to pass, and so it must not be.

Thank you,
<FULL NAME>
<ADDRESS>

Thursday, February 5, 2015

New project - Windows crypto wrapper for python

The Win32 Crypto API is a pain to work with, as evidenced by how often OpenSSL is used instead of the operating system's built-in functions. Hard to use in C turns into absolutely impossible to interact with in Python, so I have been working to fix that.

Introducing WinCrypt.py! The result will be a clean, object-based pythonic wrapper to use the Win32 Crypto API.

Anyway, I was speaking with a guy today about certificates, SSL, and their contents. Convienient since this code was just written up yesterday...
CERT_INFO structure in python

Of course I was only able to mentally walk back structure a few rows at the time, and sort of directed the conversation onto a tangent about the NotAfter usage.

Tuesday, January 13, 2015

How many bits of entropy will stop a targeted attack?

Over at security.stackexchange there is currently the following question:
The OpenPGP (private) key format stores the key symmetrically encrypted ... key expansion takes about a second on my computer (GPG).
With this kind of setup, is it possible to make it hard enough to brute-force that it's sane to have the private-key publicly available?
I expect the answer depends on the passphrase complexity. E.g. if you somehow managed to have a passphrase with 256 bits of entropy, then an attacker would be better off just guessing the derived key instead of the passphrase - which in this case amounts to brute-forcing an AES key (which I'd consider hard enough to be "safe"). So the question might really be "how complex does your passphrase have to be to make this safe?".
I touched on this thought in my comment over there, but would like to muse on the question a bit more.

His is talking about having his encrypted private key publicly exposed, most likely in a way that it is associated back to one of his accounts. Unless he plans on never actually using the key pair, there will be exploitable benefits to someone malicious to have the private key. Forge messages, open messages sent to him, possibly open messages sent from him. Also, just the thrill of winning may drive folks to attempt this challenge.

Folks, don't issue challenges like this. Remember Todd Davis, the LifeLock CEO that put his Social Security Number in the ads because of how confident he was in his product? He has been identified as an identity thief victim 13 times. And that is with his entire companies' mission and reputation on the line (a reputation that the federal government viewed as $12 million dollars tarnished!). Don't do it!

Once the challenge is issued, it isn't just a question of can the password be cracked. It now becomes a question of can he be hacked. Well crafted, personalized malicious emails (spear phishing) being sent to him, possibly even coming from his compromised friends. When you are a target, anyone connected to you may become a target. As a target, a large amount of personal information can typically be gathered including address, phone number, family members and more. Unfortunately this activity, doxxing, is fairly common as a type of online harassment. Challenged enough what can someone do with all this information?
Not a *likely* outcome. Source: XKCD
If a hacker gains control of your computer, they can place software to harvest your sensitive data: passwords, pseudonyms, possibly financial information.

Please, don't intentionally make yourself a target. (Says the guy that ran for Congress in 2014)

Thursday, January 8, 2015

What is... gamerDNA

gamerDNA
Find out what's happening in a game you're playing
January 7, 2015
Matthew Molyett
https://secsandcyber.blogspot.com

Executive Summary

This is a detailed look into the web application gamerDNA, which is a social networking website for video game players and games database. Data about the application was collected through a combination of manually browsing the web pages, inspecting URL structures, scraping pages through a Python spider script, and inspecting the application traffic recorded in WireShark and FireBug. Based on URL structures and file extensions, the backend of gamerDNA is Ruby on Rails and php. I confirmed my understanding of the interaction traffic by creating a Python module to allow interacting with the application through automation, which is available on GitHub. Connections to gamerDNA can be made over HTTPS, and most sensitive pages try to redirect to it, but the certificate is expired.

Why gamerDNA?

To select an application I wanted to inspect, I pulled an entry off of the English Wikipedia page “List of social networking websites.” My criteria was that the site be identified as fairly mature (gamerDNA was established September 2006), have a large user base (310,000), and be near the middle of the list when sorted on page ranking. (approximately in the middle) Candidate applications needed to be in English, something I’d never used, registerable, and have a general subject matter that I’d be familiar with (gamerDNA is listed with a focus of “Computer and video games”). Before looking into the site, I read the linked Wikipedia page. All the parenthetical details are as presented in the List. The player directory on the site claims 864,576 users.

Methodology and reason

During my initial review of gamerDNA, I browsed the site unauthenticated and only via HTTP in FireFox with FireBug in a Windows XP VM. By being in a XP VM, it minimized the network chatter that I was seeing on my host system’s WireShark capture. This set up allowed me to really dive into the network actions of the gamerDNA application and learn some new tricks for using WireShark to trace.
http.request.method == "POST"
Verifying what I believed though Python was also educational, as I had to learn about making POST requests and maintaining cookies. Also, the ‘requests’ module!

Public Application Functions

gamerDNA contains provides three primary functions, a directory of Games, a directory of Players, and "NOW" which is a feed of recent activity on the application, which is all browsable by the public. Most activity and information submitted by members is publicly visible, where only real name, gender, and age can be private.

Member Application Functions

As a social networking site, gamerDNA allows the posting general public statuses, statuses related to a game being played, sharing images (with or without association to a specific game), reviewing games, and associating games and gaming consoles with themselves. These pieces of data can be aggregated into a viewing feed, called the gamerCURRENT, by selecting Players or Games to Follow. Each Player has a main homepage at [PlayerHandle].gamerdna.com
A Gamer's profile consists of four pages
  1. A homepage with a status feed, recently played games, 'follower' information, and an avatar image
  2. A gamer biography page with Name, Sex, Age, gaming info, and gamerDNA account info (join data, last login, profile views)
  3. A games played page
  4. An image hosting page
Other functions available to members
  1. API key and /help/helix-api/
  2. private messaging at /private.php
  3. vbulletin Forums at /forums.php
  4. quiz at /quizzes/
  5. Warhammer Signatures at /warhammer-signature
  6. Warcraft Signatures at /wrath-of-the-lich-king-signature
  7. Guild hosting at /hosting/ **HTTPS only**
  8. Chat

Website Identity Information

  • Copyright Info: "gamerDNA®, Contents are Copyright 2006–2015 PLAYXPERT LLC and Live Gamer Inc. gamerDNA and the gamerDNA Logo are trademark and property of Live Gamer Inc."
  • DNS
>>nslookup gamerdna.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8
Non-authoritative answer:
Name:    gamerdna.com
Address:  208.88.178.16
  • WHOIS [Full details in Appendix A]
Registrant Organization: LIVE GAMER, INC.
Registrant City: NEW YORK
Registrant State/Province: NY
Registrant Postal Code: 10012
Registrant Country: US


  • GeoIP2 City
IP Address: 208.88.178.16
Location: Sunnyvale,California,United States,North America
Postal Code: 94089
  • Certificate Information

CN = *.gamerdna.com
OU = PositiveSSL Wildcard
OU = Domain Control Validated
Valid (10/10/2013 0:00:00 AM GMT) - (10/11/2014 23:59:59 PM GMT)
CA Issuers: URI: http://crt.comodoca.com/PositiveSSLCA2.crt
DNS Name: *.gamerdna.com
DNS Name: gamerdna.com
  • Interesting Geographic data

    • From the Terms of Service:
      • Choice of Law and Forum. The TOS and the relationship between you and GamerDNA shall be governed by the laws of the Commonwealth of Massachusettes without regard to its conflict of law provisions. You and GamerDNA agree to submit to the personal and exclusive jurisdiction of the courts located within the county of Middlesex, Massachussetts.
    • Server Hosting based on IP:
      • Sunnyvale,California
    • Domain Registration:
      • Registrant Organization: LIVE GAMER, INC.
      • Registrant City: NEW YORK
      • Registrant State/Province: NY

Security Issues [Full details in Appendix C]

  1. Website presents an expired certificate: This causes visitors to have to click through a browser warning about the identity of the site. If accessing the site requires a security click-through, users are less likely to notice a bad certificate being presented due to an ongoing Man In The Middle attack.
  2. Website allows account registration and login over HTTP: This causes a created account’s password / unsalted password md5 hash to be visible in network traffic. To disallow this would prevent HTTP-only users, but allowing it amplifies the already significant security risks of password reuse.  [Full packets in Appendix B]
  3. Website allows logged in users to navigate over HTTP: This causes the session cookies to be visible in network traffic. To disallow this would prevent HTTP-only users, but allowing it risks session hijacking.
  4. XXXXX Redirects to an attacker specified page
    1. SEE APPENDIX C
  5. Fields allow for static script injection
    1. SEE APPENDIX C
  6. Information leak in 403 Error Page
    1. SEE APPENDIX C
  7. Server software in use
    1. SEE APPENDIX C
  8. Registration page
    1. SEE APPENDIX C

Application functionality

The application functionality that I analyzed has been implemented in the gamerDNA class of spider.py. ( https://github.com/SecsAndCyber/py_gamerDNA/blob/master/src/spider.py )

Login Functions

  • login.php
  • logout?r=%s

Check Email

  • accounts/checkEmailUniquity.php?email=%s

Make Status Post

  • rails/profile/set_quote

Follow Games or Players

  • rails/profile/follow/%s
  • rails/profile/unfollow/%s
  • rails/game/follow/%s
  • rails/game/unfollow/%s

Associate or Review Games

  • dna/add_game/%d
  • dna/delete_game/%d
  • dna/game_update/%d

Update Biographical Information

  • rails/dna/save_info
  • rails/dna/update_location/?location=%s

Add or Remove Images


  • rails/dna/image_submit
  • rails/dna/image_delete/%d

Author's note: Full report with appendices possibly available. Contact me if you are interested.

Sunday, January 4, 2015

Extending your home network... insecurely

I reorganized my house this week and gained a private office space, though one without a coaxial jack. This makes it impossible to immediately replicate my previous setup of a whooping three feet of CAT 6 between my main workstation and the FiOS router. Unfortunately a WiFi connection isn't an option as the box isn't compatible.

Options for connecting a new room to your home network

  1. Add CAT 6 Ethernet cabling: Doing this cleanly requires running cables through the walls and cutting holes for new outlet boxes with a face plate. Highly suggested if you own your house, but I'm in a rental. Pass.
  2. Reuse an extra wireless router as a wireless bridge: I tried this one for a few hours (hours that the wife was not happy I was spending!) but the only router I had sitting around was an Actiontec MI424WR Rev I which is not compatible with DD-WRT firmware.
  3. Power-line networking: Add a device to connect Ethernet networking over the existing power lines within the house. The guy I talked to at Best Buy recommended the Actiontec Powerline Ethernet Adapter Kit [PDF] over the WiFi extender I was looking at. At $39.99 instead of $99.99, I decided to try it.
Fast and easy...setup in less than 5 minutes
The box claims a quick and easy set-up, just plug the single adapter into the wall and wire it to the router. Plug the four port adapter into the wall near your machines and wire them up. So I did, and almost immediately my workstation was connected to the Internet... success! Or so I thought.

Verify that the network is up

Along with my main workstation, my office is home to a server which provides multimedia and intranet web hosting. Once I had Internet access, the next step was to check for the rest of the intranet machines. I navigated to http://192.168.1.1 (default MI424WR address) and the expected page pulled up, but my login failed. Double checking my password typing, the login failed a second and third time. More information needed now!

Check Windows' "Network" page

Under Printers there was a Lexmark, under Computer there was a name I didn't recognize. This is a problem, and one that needed addressed immediately! My workstation was connected to someone else's network.
**generic encryption key**

Ease of setup security hole

The problem was documented right there in the manual, the adapters come pre-provisioned with a default, generic encryption key. This is great for easy set up because you can just plug it in and go. It is bad for security because it means you can just plug it in and join any network that is already there! Turns out my neighbors already had expanded their network with a similar, compatible product. They plugged it in and it just worked. I plugged mine in and it just worked... with their existing network.

I don't understand why the manual in the box doesn't tell how to update the encryption key, it just directs you to their website. Which pretty much guarantees that a random person directed by their Best Buy clerk will never update it.

From the Actiontec website:
    How do I change the encryption key on a PWR500 Powerline Adapter?
    To reset and change the encryption key on the PWR500, follow the steps below:
  1. Plug the Adapters into electrical outlets on the same circuit.

  2. Press and hold the Security button on each unit one at a time for exactly 10 seconds. On the 10th second, let go of the button. When you release the button, the Power LED's will turn off very briefly and turn back on. The LK LED's will not turn back on at this time.

  3. Then on one of the units, press and hold the Security button for exactly 3 seconds. On the 3rd second, release the button. When you release the button, the Power LED will begin to flash.

  4. Now on the other unit, press and hold the Security button for exactly 3 seconds. On the 3rd second, release the button. When you release the button, the Power LED will turn off and back on breifly, and then the LK LED should be lit on both units. Provided the LK lights on both units are lit, the encryption key has been changed and the two Adapters are now connected on the same Powerline network with a new encryption key.