Operating System and Web Apps Hacking

A lot can be learned from a hacker (albeit a convicted hacker).  Here are some of his thoughts on OS and web application security:

Securing a system:

I keep my services to a minimum, and I keep them updated. On my Linux box I use custom kernel hardening patches to make memory corruption bugs pretty hard to exploit. OpenSSH is firewalled and only accepts a connection from your ip if you visit a custom port-knocking page on my webserver. Basically the only service listening is apache, without PHP.

On my desktop and laptop I don’t have any services listening at all.

Public computers:

… I try to avoid public computers. If I really have to log in from an untrusted terminal I use otp authentication.

Modern website’s security:

Not very secure. SQL-injections are everywhere.

Discovering SQL injections vulnerabilities:

I don’t know of any specific papers, SQL injection is such a simple concept so you can pick it up in a matter of hours. The best method of finding them manually is to simply insert ‘ and ” union select(..” at random in parameters and see if things break.

Local source disclosure vulnerabilities:

Yes, sure. You can do a lot with config.php + phpMyAdmin.

What to do in a hacked machine:

1) Find a custom admin interface.

2) Get read access to a db from an SQL-injection.

3) Find tables corresponding to the custom admin interface.

4) Crack the admin password.

5) Log in and upload a new picture, containing PHP.

6) Exploit buggy custom cron-scripts that delete directories in /tmp once a day.

7) Wait for exploit to trigger..

8 ) Infect a binary on an NFS-share.

9) Wait for someone to use the binary..

10) Enjoy access to the main servers.

Something like that 😉

Operating System:

Personally I use Linux. I don’t consider Linux especially secure, just look at the number of local kernel root vulns found in the last year. I do however know that this is because there are so many people auditing Linux every day. I’d rather use an OS that has a few serious public vulns each year than one where the vulns are still there but aren’t found.

If you make a new operating system, how long it takes for someone to exploit vulnerabilities depend on how secure your code is and how much someone would want to exploit it. A local root vulnerability in QNX isn’t as “popular” as one in Linux, so more people are looking at Linux.

Tools used:

Exploits, network scanners, rootkits, google (perhaps the best network scanner).

And a voice recorder. They are essential when hacking banks.

More security holes:

Yes, I’ve written exploits for most types of bugs. Buffer overflows, format strings, int overflows. I have discovered some holes myself. Nowadays the most popular thing to audit is webapps. The age of remote root holes in popular ftpds is gone.

Government computers:

Personally I think that there are government agencies in the US, China, Russia etc. that have already backdoored each other to hell and back.

Stopping a hacker from coming in:

In short, if you have a network that is connected to the internet and someone wants to get in, they will eventually get in. If you are running the latest versions of all possible software you might think you are safe. But what if someone comes along with a 0day, or someone hacks the home computer of one of your administrators?

Tracing a hacker:

I got too comfortable with my setup and thought I was untraceable. It turns out that, given enough incentive, some people will analyze router logs from all over the world for months until they find you.

PHP:

Make sure whatever PHP software you are using is always up to date. PHP stuff has a tendency to be written very poorly. Install some custom hardening patches like Grsec.

… I’m a big fan of Python. It’s much easier to write insecure software in PHP than in Python.

Security Industry:

I think has become less about knowledge and innovation and more about hype. Extreme hype. Everyone wants to make money off their name. Bugs become a commodity that is sold to companies that charge subscription fees for advance notice, etc..

Personally I am a blackhat. I loathe the cesspool of inflated egos that is the computer security industry. Therefore, I would never ever advise them to become “whitehats”. As for a more rewarding way to use their skill and curiosity, I can’t think of a good answer. Hacking into computers is simply the most rewarding experience I have ever had. I don’t see it as a problem if you are hacking big companies or governments for the sake of adventure, you are not out to hurt people.

Just make sure not to make money from your hacking, be it selling out to the security industry or selling botnet-stuff to russians. Both will destroy your passion.

Sysadmins:

I understand that ultimately some admin will have to take care of cleaning up after the breach, but it’s a part of their job. If one of the main reasons not to hack is that some administrator, whose job it is to maintain the servers, has to do his job.. I just don’t see that as a very compelling reason not to hack.

Hacking:

The incentive was the thrill of breaking into something that could sometimes have taken over a month of preparation. Looking at information that you weren’t supposed to be looking at. I suppose it’s the same feeling you get when solving any complex problem. It’s better than sex. I mostly worked alone, and I was not hired for anything.

Operating System hacking preference:

I almost exclusively hacked *NIX machines. Mostly Linux and Solaris, but also a lot of IRIX/HP-(S)UX/AIX. I would however definitely say that it is easier to hack a Windows PC, given their history of remote “root” vulnerabilities in default services.

OpenBSD is not secure at all. At least they changed the text on their front page to “Only two remote holes in the default install, in a heck of a long time!”. There’s a reason Theo DeRaadt has been hacked a number of times, his ego is enormously inflated. OpenBSD is 10 years behind grsec for example.

The most important part is the anti-exploitation techniques like ASLR, PIE, etc. What I meant to say was that GRsec has always been in the forefront when it comes to those. GRSec, RBAC and SELinux also have MAC capabilities but these are extremely rarely used correctly and to their full extent, since they are so hard to configure right.

IE6 Still Lingering

W3CSchools has stats for IE6 usage at about 15%, as of May 2009.  IE6 in Enterprise environment is still being used,

It’s steadily dropping because of the wide acceptance of Firefox, and Corporations are proactively upgrading to IE7 or IE8.   This number will change dramatically when Enterprise favors Windows 7 as the new standard for productivity machines.

Some websites have already taken steps to prevent IE6 from loading their site.  I can only applaud their efforts.

IE6 Denial Image

IE6 Denial Image

Managing Priorities

Railroad Switch

As IT personnel, it’s my job to help business-driven projects.  My support tasks generally take priority over my long term IT projects.  There are techniques to manage the priorities of these projects, and get them done.  Here are some ways to do it:

  1. Say When:
    1. Clarify how much time is needed.
    2. Determine if it can be handled now.   If not, make it known to others.
    3. If it can wait, then suggest an agreeable time.
  2. Learn More:
    1. Do quick impact analysis.
    2. Work with the requester for the results and standards required.
    3. Ask for additional learning material.
  3. Ask for help:
    1. Determine how the support requests fits into the bigger picture.
    2. Agree on roles and responsibilities from the people involved.
    3. Focus on required resources.
    4. Understand the task required.
    5. Get a completion date.  If not clear, then suggest times for status updates.

In every step, it helps to listen carefully, be polite, and be sensitive to the needs of others.

Contrary to popular opinions, IT is not entirely a lonesome job.  It gets easier to handle when I have the help of my colleagues.

Business may have unending projects.  It helps tremendously if I can prioritize them, according to the time and resources at my disposal.  Knowing what, when, and who are the keys to success.   The how will be answered eventually.  Asking why is counter-productive.