Another telco is failing at security

Update: 14-04-2018 : True Corp have issued a statement and clarification that this only affected their subsidiary I True Mart. Details in Thai 

Back in January 2018 while at NDC London, Scott Helme introduced me to an interesting new technique for finding Amazon S3 buckets, Using the certificate transparency logs that are created when someone creates a new certificate, you can use the domain names as the wordlist for finding buckets. Its a novel approach as normally most people use the Alexa top 1 million list.  

Luckily there was a tool already for this on GitHub called bucket stream. I demo’d it at NDC Security Day in Oslo and left it for a bit before coming back to it again in March and deciding to do some digging and see what was out there. After about one hour, I had circa 500 open addresses.

What bucket stream doesn’t show is the content of the buckets, only that they are open, and the permissions associated. To get the contents, you can either visit the site manually and scan it or find another tool. In this case, that was bucket-finder which will list the contents of an S3 bucket and give you the public or private attributes.

Having an open S3 bucket is not a bad thing. For example, you can use it as storage for a website or other such things, but when you use it for storing sensitive data and leave it open, this is a serious problem

The output from bucket-finder showed several issues such as config files, source code and other potential information disclosures. Bucket finder only gets the top 1000 files via the AWS S3 API. To simplify things, I loaded the results into a small SQL database for analysis. I found all the sites that had 1000 files and did a quick visual scan to see what they contained and if there was a way to identify the owner if the need arose. 

One such owner was True Move H, the second largest mobile operator in Thailand (source: Wikipedia). Their name was in the folder that contained many files mainly JPGs and PDFs. The interesting thing that was I first observed was it was the format of truemoveh/idcard/YYYY/MM/FILENAME. 

I checked the first couple of files in the directory and it was a picture of a Minion from Despicable Me and some were logos. This led me to believe that it was a development server, but the site name contained -prod, so I scrolled further down and opened a later file which was a scanned ID card of a Thai citizen.

At this point, I realised that they were storing scanned ID cards that they got from customers in this S3 bucket and there was no security on it at all protecting the files. Simply, if you found the URL, you could download all their customers scanned details.

In all over 32GB of data existed in this bucket totalling 46K files, neatly organised by year.

I connected with True Move H on Twitter to ask for some contact information and they sent me to their support email address.

I sent the details to their support department a full report on Saturday 10-Mar detailing how this was found, examples of the files that were available and asking to talk to their security team. 

The response was quite shocking. They admitted not having a security department and that I should contact their head office between business hours

Now it was a case of trying to figure out what to do. I contacted Scott Helme to get his advice on the most effective course of action. He suggested that I should contact some journalists to help put some pressure on them to get this blatant problem fixed. Scott connected me John Leyden of The Register who also pushed True Move H to fix it.

We had heard nothing for 2 or 3 weeks and I decided that I was going to press the issue finally and told them on Mon 02-April that I would be publishing an article the following week.

On Wed 04-04 both John and I received identical messages from True Move H, saying that a team had been informed and were working on it. 

I checked again on Thursday 12-April 10:00 to verify if the files were available still and they were. At 19:00 they had finally been made private.

Unfortunately, this is not the first time this company has had issues with ID cards. Back in 2016, True Move H issued a sim card to a thief without checking ID first and the person linked to the SIM card lost a substantial sum of money. 

Along with T-Mobile Austria last week and other telco's are serious failing at security and protecting their customers privacy. You should connect with your provider and ask what they are doing to ensure this type of thing doesn't happen.

Update: 14-04-2018 : True Corp has issued a statement and clarification that this only affected their subsidiary I True Mart. Details in Thai 

First look at the Wi-Fi Pineapple Nano

If you have seen any of my security presentations or attended any security talks hosted by Troy Hunt, you will be familiar with the Wi-Fi Pineapple. This is a small rogue access point that you can deploy within a couple of minutes and cause havoc with the Wi-Fi connections of the people around you. Hak5, the creators of the Pineapple have now updated their product line with the new Wi-Fi Pineapple Nano.

The main reason for the update is the scarcity of the components that made up the Mark V and also the methods used by people who use the Mark V have changed. So the new Nano addresses these concerns with new radios and a new form factor.

I ordered mine from the US on the 20th of December, and I had it in my hands on the 24th of December in Ireland. So here is my review of the new Wi-Fi Pineapple Nano

NOTE: The Wi-Fi Pineapple Nano is available as a developer kit right now as Hak5 are waiting for SAR certification. This means that its not official yet but the hardware is V1.0 and ready to use. If you are buying this type of equipment right now, it shouldn’t make any difference to you but Hak5 have to tell you this.

What's in the box?

Opening the box you see straight away the new Nano form factor nicely cradled in protective foam. Under that is a USB Y-Cable for powering the device, 2 RP-SMA antennas and a very small instruction card. I picked up the Tactical edition which includes a Pineapple Juice 4000 battery pack, an attachable pouch and a morale patch.

With a standard issue external hard disk for scale

Nano in its protective foam

Unboxed and with an external hard disk for scale

The device has 2 Atheros high gain radios and a USB Ethernet adaptor. With the new USB Ethernet adaptor interface, you can power the device from your PC. It also means that the device can be used by mobile phones that have support for USB Ethernet such as Android devices. This makes the Nano much more mobile and easier to use in public places.

Setup

Setting up the device is a lot easier than it was with the Mark V. You just plug it in and it automatically assigns itself the correct IP address as compared to the Mark 5 where you have to reconfigure the network settings.

You can go to http://www.wifipineapple.com/nano to get the latest walkthroughs on setup and also a copy of the latest firmware for the device.

On first browse to the Admin page, you are greeted with an update to the latest firmware page. The page advises to turn off the Wi-Fi radios using the multi function reset button. A quick press turns off the radios and you can upload the latest firmware. It is a similar process to the Mark V after that. You create a new root password, SSID and password for it. Once that is done you log in to the new Admin UI.

Admin UI

The new admin dashboard is a change from the existing Pineapple Mark IV and V UIs. Its white for a start and not panel driven as in the previous incarnations. This both good and bad and I will go through these points later.

The menu on the left shows all the different areas that you can play with. One of the major improvements is you get a responsive design in the UI and it will work on mobile devices.

One of the issues I have found with the new UI is that unlike the previous black UI, this version does not auto refresh so you will need to manually refresh the page to see the uptime, new SSIDs in the pool etc. I am guessing with such an early release this will be fixed in newer updates.

On the new PineAP menu you have the configuration for the powerful PineAP features. This is what allows you to spoof SSIDs and also attract devices to your access point instead of the real ones.

You need to enable the PineAP Daemon if you want to use the additional options below it such as Beacon Response and Broadcast SSID pool. The SSID broadcast is one of the most useful features in the whole Wi-Fi Pineapple arsenal as you can create a custom SSID list with the most common SSIDs in use, which can be hotels and airports in the area. Hotels chains normally use the same Wi-Fi name so their customers will have an easier time connecting. All the better for me!

The new reporting module is what really struck me. For extended engagements, you can get reports emailed to you and also paint a picture when you are doing recon for a penetration test. Stick this device under a desk in a cable mounting and it will work away happily sending you information.

Overall thoughts

The Nano is not the successor to the Mark V but an update of the existing concept. It is wrapped in a new form factor, more portable but it is still limited to the 2.4GHz range. The very recently announced Wi-Fi Pineapple Tetra will allow both 2.4GHz and 5GHz in the one box and looks more like the Pineapple Mark VI.

Does that mean that the Nano is already out of date. No!. It still serves a very handy purpose. More devices operate on the 2.4GHz frequency than are on the 5GHz and I don’t know off the top of my head if any devices work exclusively in the 5GHz band. For portability, this device is excellent and it is also discrete in comparison to the Mark V which is saying something considering how small the Mark V is.

Depending on your usage requirements and your attack scenarios, the Nano will make more sense than the Mark V or the Tetra.

If you are in Oslo for the ProgramUtvikling Security Day, you will get a chance to see the device up close and have a play with it.

Showing your NAS to the world.

The world has gone very digital and we now store a massive amount of data on our phones, our laptops and other devices that are prone to being lost, dropped or drowned.

To combat this fear of data loss, a growing number of people are buying home NAS (network attached storage) solutions. These little boxes sit in the corner and usually have software that you can install on your computer to perform automatic backups, thus mitigating the need to think about doing file backups.

Convenience over security

Some of these manufacturers have included really nice features such as FTP services so that you can access your files from outside your home network thus giving you the feeling of your own private cloud. The problem is that people turn on this feature but forget to set a password. Or worse, ignore setting the password altogether. Often it is in the belief that these files will never be found by the general public, much in the same way that people will not to think to look under the mat for the front door key.

Finding what is out there

There are many different ways to search for FTP sites. The most basic one is your search engine of choice which more often than not is Uncle Google, the “benevolent” overseer of the web.

However if you use one of the more specialized search engines such as ftpsearch.co or searchftps.org, you can start looking for specific files and types. Take it one step further and mix in the likes of Shodan.io and it becomes much more obvious that there is a high state of ignorance towards securing these services and people don’t recognize the danger of what they are doing for the sake of convenience.  

Lets look at some basic searches such as password xls on searchftps.org (ftpsearch.co blocks certain keywords). This query will return results where the two terms are used in the same URL. A lot of people share passwords using Excel especially in small corporate environments.

As we all know or should know, saving passwords in Excel, text files or any other unsecured file format is the same as writing it on a post it note and leaving it on your computer screen.

A look at one of these files, shows you have much information leakage we are looking at. The owner of this file has been notified already that they should password protect their FTP solution or better still move it to SFTP or SCP and change all the passwords. In addition using something like KeepPass, LastPass or any other password manager will be a much better solution for them.

Moving on a bit, it time to see what other information that can be found. The directory MobileSync is used by the Apple iTunes program as the save location for your local iPhone backups. A quick search for MobileSync plist will show iPhone backups.

Using a tool such as iPhone Backup Extractor from Reincubate will allow you to extract the contents of the phone to your local hard disk. A lot of people store much more than numbers on their phone. This tool will extract text messages, pictures and videos and of course anything else that is saved in the file system. If you have managed to find someone’s Apple ID account name and password, you can download it straight from iCloud using Elcomsoft EPPB.

Pictures of credit cards, passports, loved ones, very private pictures and messages can all get leaked in this way. There has been a huge amount of publicity lately around this in relation to release of a large amount of private images stolen from celebrities phones. 

As a parent, this is quite terrifying. Phone images more often than not contain GPS data, which is more information to a potential predator. If it’s a corporate phone, there is bound to be some saved attachments from mails which can lead to issues such as loss of competitive advantage. 

People also save complete copies of their hard disks in the form of VHD files. These virtual hard disks can be mounted in Windows for example. A quick change of the permissions on the folders and the hard disk is ready to be explored. More so, they can extract the local password database from it and brute force the password. Given that Windows 8 now for the most part uses Microsoft accounts which are linked to online accounts, you could be opening yourself to a world of hurt and potential identity theft.

How bad is it?

This problem is extremely widespread as seen by the number of files being indexed on a daily basis. Based on the front page of searchftps.org it proclaims to have 658,200,216 files (8181.99 TB) in 21,505 FTP servers. That’s a lot of files exposed. Even if only 1% of it is personal backups you are looking at 82TB of data. That’s a lot of passwords!

So what is the fix for this?.

The easiest and quickest option, is to disable anonymous access to your FTP if you have not done so already. Below is a list of common FTP/NAS providers and links to documentation on their FTP services

• Synology NAS – How enable Anon acces (just follow steps and verify it is turned off)
• LACIE Cloudbox
• NETGEAR ReadyNas
• TeraStation
• Western Digital
• Seagate

The next thing would be to look at if you need FTP, to switch to SCP or SFTP as FTP in itself is inherently insecure.

The issue can be so easily prevented as with all personal security. Do not bare your NAS to the world unless you are happy with the world seeing your private data.

Resources from DDD Scotland 2011

On Saturday 7th of May 2011,  I presented Defensive Programming 101 at DDD Scotland 2011 in Glasgow. This was the second time I have presented at DDD Scotland and I was thankful to be invited back.  Like last year, it was the same presentation.

I was lucky in my presentation that most of the audience was awake and didn’t mind me asking them questions. Or maybe they did and just didn’t complain! The session went smoothly enough and I would like to say sorry for the human failure in the middle when I mixed up my demo a bit.

Thanks again to the organizers, who did a fantastic job in making sure the day went smoothly.

Based on last years feedback I changed the slides, to remove most of the wordy slides which in turn, made my presentation into a collection of pictures. However at the end I had a lot of resource links and I am publishing them here for those who wanted a copy of them.

Resources Slide 1

• IIS Security What If Tool - http://support.microsoft.com/kb/229694
• URLScan – http://technet.microsoft.com/en-us/security/cc242650
• IIS Configuring security - http://learn.iis.net/page.aspx/88/configuring-security/
• MSCASI tool - http://support.microsoft.com/kb/954476
• IIS Lockdown - http://technet.microsoft.com/en-us/library/dd450372%28WS.10%29.aspx
• AntiXSS Toolkit - http://wpl.codeplex.com/
• IIS Security Tools - http://www.iis.net/community/Security
• Advice from SDL - http://blogs.msdn.com/b/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx

Resources Slide 2

• http://www.security.nnov.ru/
• http://www.devx.com/dotnet/Article/32493/1763/page/1
• http://cwe.mitre.org/top25/#Brief

The demo bits are available from here and here (they are done as separate posts)

Finally the copy of my presentation on SlideShare

Defensive programming 101

View more presentations from Niall Merrigan

Talks in November

I am off down to Ireland in November thanks to Microsoft Ireland and I will be doing some talks for the Microsoft Technology User Groups around the country. All of the sessions are free, but registration is required so that we can track numbers and make sure we have seats for everyone.

Currently the Thursday slot is open if one user group wants to chime in an take it.

The current schedule is as follows

• Monday 08-11-2010 - North West MTUG – Derry
  • Silverlight and Bing Maps Data Mash up
  • Register
• Tuesday 09-11-2010 – Northern Ireland MTUG – Belfast
  • Defensive Programming 101
  • Register
• Wednesday 10-11-2010 – Midwestern MTUG – Shannon
  • Silverlight and Bing Maps Data Mash up
  • Register
• Friday 12-11-2010 – Galway MTUG – Galway
  • Silverlight and Bing Maps Data Mash up
  • Registration

Issue #4 Directory Traversal

This issue is one where you can get caught even though you think you are being smart :) What directory traversal means, is exactly like it sounds. Its moving between directories when you are not supposed to be able to. Now this is not like traversing directories when directory browsing in IIS is on for example. It means downloading files where it would normally be impossible to do. Such as the web.config.

Firstly it relies on a bit of patience and some poking around to find the correct information. Let us consider the following scenario.

The developer has created a nifty file download solution. It takes the name of a file and sends the file to the user with a Save As dialog box. A common enough scenario. The developer has created this application using ASP.NET and used the TransmitFile function that is part of the Response object.

A sample URL http://mydomain.com/ServeFile.aspx?FilePath=File.txt . In the code behind the developer uses code like the following

var filename = DateTime.Now.Ticks + ".txt"; 
var filePath = Request.QueryString["FilePath"]; 

if (string.IsNullOrEmpty(filePath)) return; 

Response.ContentType = "text/plain"; 
Response.AppendHeader("Content-Disposition", "attachment; filename=" + filename); 
Response.TransmitFile(Server.MapPath("~") + filePath); 
Response.End();

Fairly routine code, nothing too surprising. The developer creates a new filename and sets the content type of the request to text and then serves the file which will prompt a Save As dialog box in most browsers.

So where is the problem?.

Lets look at the following things. Server.MapPath(“~”) returns the physical root directory of the web application and the page blindly encodes the file it is looking for as a text file. Lets for the moment assume that the directory that it returns is c:\webs\Demo

So what would happen if we changed the URL slightly to the following:  http://mydomain.com/ServeFile.aspx?FilePath=web.config

Now the web.config file would be served as a text file to the user. If this config file contained connection strings that were not encrypted or other sensitive material, your system would be seriously compromised.  Furthermore, if the system is designed using the ASP.NET website template, you could download the ASPX and CS/VB code behind files as well as other DLLs and reverse engineer them. Your system would be thoroughly penetrated.

Right, so you found this issue and you change the code to use a specific directory for downloadable files. Your code now looks like this

var filename = DateTime.Now.Ticks + ".txt"; 
var filePath = Request.QueryString["FilePath"];

if(string.IsNullOrEmpty(filePath)) return; 

Response.ContentType = "text/plain"; 
Response.AppendHeader("Content-Disposition", "attachment; filename=" + filename); 
Response.TransmitFile(Server.MapPath("~/downloads/")+filePath); 
Response.End();

So the download URL is still the same http://mydomain.com/ServeFile.aspx?FilePath=File.txt. And the directory it is trying to read is c:\webs\Demo\downloads

If we try the http://mydomain.com/ServeFile.aspx?FilePath=web.config URL we will get an invalid file as there is no web.config file in that directory. So we are safe. Well no, you are not. Lets change the FilePath query string variable once more to http://mydomain.com/ServeFile.aspx?FilePath=../web.config

So in this case the directory is now c:\webs\demo\downloads\..\ which will be translated to c:\webs\demo because the ..\ says go one directory up from the current. Again we can download the web.config. The reason it is changed is that the directory translation works like that.

So how do you avoid such problems. Well first dont do what was just shown. If do want to transmit a file to the user make sure you know exactly what you are transmitting. Additionally a check to see if its the correct file type will usually give you an idea if something funky is happening.

You can prevent such types of problems by again validating your input and not sending the filename you want to download across the wire. Using id numbers is ok, but make sure you check your inputs again.

Always put your web apps on a different partition than your system files because if we were to use the following example it would be possible to get access to the other configuration files (providing that the permissions allowed).

Make sure your web server is fully patched and the correct permissions for your application are in force.

You can use tools such as URLScan and IIS Lockdown to scan your system for vulnerabilities. These tools are free and part of a well maintained server. Just be aware that URL Scan and IIS Lockdown can sometimes adversely affect your servers ability to serve certain requests such as ASMX which is possible if you tighten the security too much or don’t watch what the settings correctly.

You can download the code sample for this post here. It just shows how the code can manipulated and it serves as an example of what not to do!

Issue #5 Incorrect Permissions

This is a very common problem and usually comes about due to a lack of knowledge of how to secure an application or perhaps because the developer is afraid of what will break if they apply the correct permissions. Usually when we develop, we are administrators on our own machines and probably system administrators on the SQL Server machine as well.

Additionally it may come down to some components requiring elevated privileges to work. This can happen for example if you want to do Excel automation from an ASP.NET application.

Windows programmers can require Administrator rights as well, to access certain hives in the Windows registry. Even Visual Studio requires admin rights so that you can develop otherwise you cannot debug certain application types.

If you use too loose permissions on your database you can leave yourself wide open to the more severe side of SQL injection attacks.

You should use the lowest level permissions you can get away with for your application. It is better to add permissions than take away so start with a highly restricted account and add only the permission you need to ensure the correct working of your application.

Ideally you should look at specific accounts for your applications to allow separation of roles for applications.

Issue #7 Client Side Validation

Now how many people do you know turn off JavaScript in their browser as a security measure. Not a lot I would bet. This is because JavaScript is becoming more and more the backbone of the web user experience.

It also forms most of our client side validation because it works in all browsers. So simply by turning it off you can circumvent what most people use as their only line of defense.

Another possibility is that you check for this information but someone changes the function to return a positive result all the time regardless of inputs. This can be done usually quite easily with modern in browser developer tools.

So to prevent these types of mistakes you shouldn’t rely on your client side validation as your only method of validating input before it hits your data repository.

You should always use a central validation source so that all strings for example are validated in the same manner, all integers etc. This way, you can manage changes to your code base more effectively and also you will follow the DRY principle.

There is an example on Daily WTF of this issue being exploited very easily and saving the submitter of the article a couple of dollars in the process.

You should only use whitelists rather than blacklists. Whitelists define what you will expect whereas blacklists define all that you don’t expect which you may or may not know. So which is easier to implement when you see it written like that?

You need to make sure that you escape any special characters. Most Irish based developers are familiar with escaping the apostrophe due to it being used quite frequently in many Irish surnames. But if you expect additional script types you should be expecting them and code accordingly.

Try and validate your inputs according to the RFC rules for that input and finally when you are using XML validate it against the schema. The Validation class in the System.Xml namespace is very useful in this regard and should be in your standard toolkit of code snippets when you are dealing with XML.

Additional previous posts (10, 9, 8)

Issue #8 Not Patching

Following on from my previous posts (10 & 9)

In the Microsoft world we have update Tuesday which is the second Tuesday of every month and it is when most of the patches appear on the Windows Update service. Commonly, the Wednesday after this is known as “Rollback” Wednesday because as it happens, something is invariably broken due to this. So system administrators have become wary of blindly applying patches to their servers without fully testing the implications of the patch in a staging environment. This unfortunately means that your servers may not be patched as soon as you would like them to be.

So even though you may have designed this ultra-secure system which has been put through its paces in the development and staging process, it still may be vulnerable due to some known or unknown exploit of the underlying web server or operating system.

All web servers are continuously being updated to defend against exploits that have been discovered. This issue relies on you making sure that you keep your systems up to date. Now there will be a lot of developers out there who are not in charge of the servers that they deploy to be it that the systems are deployed to a hosting provider or the internal IT structure means that there are dedicated people in charge of servers. So what is required is a solid communications channel between the developers and the admins to ensure that the underlying OS and web server are as solid as possible and thus removing this particular attack vector.

You can use Google for example to locate unpatched or unprotected servers.

Security Mistakes #9 Passwords

Let us continue on with the series of common security mistakes in web development.

Passwords, or leaving them unencrypted on publically accessible servers. This is a very common mistake that a lot of new and seasoned programmers alike make.

Even though the web.config is not served by IIS, what would happen if a new virus/undiscovered bug comes along and changes this. To encrypt your web.config is quite simple and can be done via the .NET Framework. I have explained how to do this is a previous post.

Added to this, is that passwords stored in the databases should also be encrypted and not be able to be decrypted. You can do this using the SHA1 encryption which is in the System.Security.Cryptography. You can compare the encrypted input with the information stored in the database.

You shouldn’t write your own crypto protocols and also you should keep up to date with the protocols as they go out of date.

If you fancy some interesting(!) reading take a look on the Google Code Search tool to find places where people haven’t encrypted their connection strings. Sample search here

Security mistakes #10 Admin info

I will be doing a single post on each point to allow people to understand what I was talking about at the NNUG Stavanger meeting.

So lets start with issue #10 which was leaving admin info on the server.

This is not just about leaving passwords in plain text but leaving valuable clues to allow a person to penetrate your security and your web application. Examples of such information include Trace info, debug info, descriptive error messages, unsecured admin tools and test pages which output sensitive information.

It is possible to use Google to find vulnerable web sites and also such information on web servers. Because Google allows you to use certain search operators to refine your search you can search for particular files for example on a site.

Take for example you create a backup file with the site contents and create a folder that is called backup but is browsable. A quick search of the site with Google could allow someone to find this information and gain access to your source code, which would allow them a lot of time to study it for security vulnerabilities.

intitle:index.of "parent directory" site:your site

Leaving the trace file will also give away a lot of information.

So set the trace to off or least set the localOnly value to true.