Sunday, 28 September 2014

Showing your NAS to the world.

The world has gone very digital and we now store a massive amount of data on our phones, our laptops and other devices that are prone to being lost, dropped or drowned.

To combat this fear of data loss, a growing number of people are buying home NAS (network attached storage) solutions. These little boxes sit in the corner and usually have software that you can install on your computer to perform automatic backups, thus mitigating the need to think about doing file backups.

Convenience over security

Some of these manufacturers have included really nice features such as FTP services so that you can access your files from outside your home network thus giving you the feeling of your own private cloud. The problem is that people turn on this feature but forget to set a password. Or worse, ignore setting the password altogether. Often it is in the belief that these files will never be found by the general public, much in the same way that people will not to think to look under the mat for the front door key.

Finding what is out there

There are many different ways to search for FTP sites. The most basic one is your search engine of choice which more often than not is Uncle Google, the “benevolent” overseer of the web.

However if you use one of the more specialized search engines such as ftpsearch.co or searchftps.org, you can start looking for specific files and types. Take it one step further and mix in the likes of Shodan.io and it becomes much more obvious that there is a high state of ignorance towards securing these services and people don’t recognize the danger of what they are doing for the sake of convenience.  

2014-09-28_22-11-30Lets look at some basic searches such as password xls on searchftps.org (ftpsearch.co blocks certain keywords). This query will return results where the two terms are used in the same URL. A lot of people share passwords using Excel especially in small corporate environments.

As we all know or should know, saving passwords in Excel, text files or any other unsecured file format is the same as writing it on a post it note and leaving it on your computer screen.

2014-09-28_21-58-55

A look at one of these files, shows you have much information leakage we are looking at. The owner of this file has been notified already that they should password protect their FTP solution or better still move it to SFTP or SCP and change all the passwords. In addition using something like KeepPass, LastPass or any other password manager will be a much better solution for them.

Moving on a bit, it time to see what other information that can be found. The directory MobileSync is used by the Apple iTunes program as the save location for your local iPhone backups. A quick search for MobileSync plist will show iPhone backups.

Using a tool such as iPhone Backup Extractor from Reincubate will allow you to extract the contents of the phone to your local hard disk. A lot of people store much more than numbers on their phone. This tool will extract text messages, pictures and videos and of course anything else that is saved in the file system. If you have managed to find someone’s Apple ID account name and password, you can download it straight from iCloud using Elcomsoft EPPB.

Pictures of credit cards, passports, loved ones, very private pictures and messages can all get leaked in this way. There has been a huge amount of publicity lately around this in relation to release of a large amount of private images stolen from celebrities phones. 

As a parent, this is quite terrifying. Phone images more often than not contain GPS data, which is more information to a potential predator. If it’s a corporate phone, there is bound to be some saved attachments from mails which can lead to issues such as loss of competitive advantage. 

People also save complete copies of their hard disks in the form of VHD files. These virtual hard disks can be mounted in Windows for example. A quick change of the permissions on the folders and the hard disk is ready to be explored. More so, they can extract the local password database from it and brute force the password. Given that Windows 8 now for the most part uses Microsoft accounts which are linked to online accounts, you could be opening yourself to a world of hurt and potential identity theft.

How bad is it?

This problem is extremely widespread as seen by the number of files being indexed on a daily basis. Based on the front page of searchftps.org it proclaims to have 658,200,216 files (8181.99 TB) in 21,505 FTP servers. That’s a lot of files exposed. Even if only 1% of it is personal backups you are looking at 82TB of data. That’s a lot of passwords!

So what is the fix for this?.

The easiest and quickest option, is to disable anonymous access to your FTP if you have not done so already. Below is a list of common FTP/NAS providers and links to documentation on their FTP services

The next thing would be to look at if you need FTP, to switch to SCP or SFTP as FTP in itself is inherently insecure.

The issue can be so easily prevented as with all personal security. Do not bare your NAS to the world unless you are happy with the world seeing your private data.

Wednesday, 16 April 2014

Techdays NL 2014 Resources Part 1

Thanks to all that came to my session at Defensive Programming. It was great to have such an interactive audience.

Code download: Here

The excellent haveibeingpwnd.com by Troy Hunt

ASP.NET Resources

• OWASP Top 10 by Troy Hunt - http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html

• Basic Security Practices for Web Applications - http://msdn.microsoft.com/en-us/library/zdh19h94(v=vs.100).aspx

• ASP.NET MVC Security - http://www.asp.net/mvc/overview/security

• Combating ClickJacking With X-Frame-Options - http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

• AntiXSS Toolkit - http://wpl.codeplex.com/

• ASafaWeb - https://asafaweb.com/

• ASP.NET Security Wiki - http://wiki.asp.net/page.aspx/27/security/

IIS Resources

• Security Guidance for IIS - http://technet.microsoft.com/en-us/library/dd450371.aspx

• IIS Lockdown tool - http://technet.microsoft.com/en-us/library/dd450372(v=ws.10).aspx

• URLScan – http://www.iis.net/learn/extensions/working-with-urlscan

• IIS Configuring security - http://learn.iis.net/page.aspx/88/configuring-security/

• IIS Security Tools - http://www.iis.net/community/Security

• Penetration Testing Tools list - http://projects.webappsec.org/w/page/13246988/Web%20Application%20Security%20Scanner%20List

Thursday, 13 June 2013

Defensive Programming 101 at NDC 2013 Resources

Thanks to all who came to my session at NDC.

The following is the list of resources that I suggested at the end of my talk

ASP.NET Resources

• OWASP Top 10 by Troy Hunt - http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html

• Basic Security Practices for Web Applications - http://msdn.microsoft.com/en-us/library/zdh19h94(v=vs.100).aspx

• ASP.NET MVC Security - http://www.asp.net/mvc/overview/security

• Combating ClickJacking With X-Frame-Options - http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

• AntiXSS Toolkit - http://wpl.codeplex.com/

• ASafaWeb - https://asafaweb.com/

• ASP.NET Security Wiki - http://wiki.asp.net/page.aspx/27/security/

IIS Resources

• Security Guidance for IIS - http://technet.microsoft.com/en-us/library/dd450371.aspx

• IIS Lockdown tool - http://technet.microsoft.com/en-us/library/dd450372(v=ws.10).aspx

• URLScan – http://www.iis.net/learn/extensions/working-with-urlscan

• IIS Configuring security - http://learn.iis.net/page.aspx/88/configuring-security/

• IIS Security Tools - http://www.iis.net/community/Security

• Penetration Testing Tools list - http://projects.webappsec.org/w/page/13246988/Web%20Application%20Security%20Scanner%20List

Project Swiss Cheese will be on GitHub within the week.

Tuesday, 16 October 2012

DDD North 2 Resources

At the end of my talk at DDD North 2 there was a massive amount of URLs for people to reference later. Here is a copy of all of those links

ASP.NET Resource

•Web session management security - http://www.isecpartners.com/files/web-session-management.pdf

•OWASP Top 10 by Troy Hunt - http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html

•ASP.NET Security Guidance - http://wiki.asp.net/page.aspx/48/security-guidelines-and-recommendations/

•MSCASI tool - http://support.microsoft.com/kb/954476

•AntiXSS Toolkit - http://wpl.codeplex.com/

•ASP.NET Security Guidance - http://blogs.msdn.com/b/nunoc/archive/2006/03/04/543631.aspx

•Advice from SDL - http://blogs.msdn.com/b/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx

•ASafaWeb - http://www.asafeweb.com

IIS Resources

•Security Guidance for IIS - http://technet.microsoft.com/en-us/library/dd450371.aspx

•IIS Lockdown tool - http://technet.microsoft.com/en-us/library/dd450372(v=ws.10).aspx

•URLScan – http://www.iis.net/learn/extensions/working-with-urlscan

•IIS Configuring security - http://learn.iis.net/page.aspx/88/configuring-security/

•IIS Security Tools - http://www.iis.net/community/Security

Additional Resources

I will upload a copy of the source files later as a separate post as worked through examples.