Tcrweb’s Blog

Since personal information is so crucial these days to big companies for targeted marketing I thought I would put together a weekly thread dedicated to keeping yourself safe while on your computers and surfing the net.

This week’s topic is Password Management:

Now we are on a forum here and I am sure you have signed up for many other online (cloud) style services like Gmail, Hotmail, etc. Some of you might be using the same password for every site you log in to because of convenience. Also some of you might have 2-5 different ones you use and use your browser’s “Save this password” feature so you don’t have to remember it.

Well if you are using the same password for every site this is an accident waiting to happen. Forums are a haven of buggy code that is easily exploited by not just experienced hackers but script kiddies alike. There are even full software programs (I won’t mention their names in this thread but you can PM for details) that have known vulnerabilities for such forum programs like the ones we use here. Now the passwords in the database holding your information is hashed (encrypted) but once a hacker has control over the system a man in the middle attack can be put into place. Or even easier is to change the email address in your account info, have it email the hacker your password or a new temporary password and take control of your account. While on this board it probably doesn’t mean much but think on a site that it might. Again if you use the same password for all sites and they get a copy from a hacked forum they now have access to your other online services that you do care about.

Same thing goes with passwords saved in browsers, but let’s say you are at a convention and your laptop is stolen, it’s quite easy to get into the machine and get your stored passwords from your browser. This can also mean personal information or worse banking information.

If you have read this so far this is the part where I suggest the best way to fix this from not happening to you. Hence the topic “Password Management”, I am going to suggest that you get a password management program. What this will allow you to do is store passwords for all your sites with different passwords for each one in a centralized location. Well you ask if my computer is stolen wont they have all that anyway? No, when you use a password manager you have to open a database file that stores your passwords in it that is encrypted with a master password you choose. This will free up your brain to again only have to remember 1 password to remember. Now when you go to a site and have to login, you simply open up your password manager, select the sites password you have stored and copy it to clipboard and paste the information into the login page.

The great thing about password managers is they usually come with a built in password generator that you can set the length and types of characters you wish to use. This will create a random password that will probably never generate again so if someone ever does get your password for any forum or site that’s all they will get.

Here are some links to good password managers

Windows (FREE): http://keepass.info/

Windows/Mac/Linux (FREE): http://www.keepassx.org/

Mac ($30): http://1passwd.com/screen_shots

Robin (digininja) made a PoC C&C for a Twitter bot network  (http://www.digininja.org/twitterbot/). He did some excellent work and again a PoC so I can understand why he didn’t go too in-depth into making it a more complex code. So I figured I would throw something together really quickly just to show how easy it would be to make the commands on Twitter (or any social networking site for that matter) work in a bit different way.

A couple things I would suggest to add to what Robin did is to have in the code a cycling values of Twitter names that it would follow and move to the next if that account it was following was deleted. I would also put in that other than the header bytes and CRC bytes of the post, should be encrypted. Not only would they be encrypted, but that it is updatable so that the decryption key would be stored on any number of machines that could be polled over SSL. Yes this does make it a bit noisier, but makes for some modifiable code. Also you could make the payloads much longer, so that you could span Twitter posts (as long as they were say no more than 2 mins apart) with a count byte.

1. First Byte is for multiple command count

2. Second Byte – PK Selection

3. Third Byte – MSB of Total length

4. Fourth Byte – LSB of Total Length following (minus 4 header bytes)

5. Fifth Byte – Command Byte – Bit Structure (MSB -> LSB)

5.1. Bit set to execute the attached payload (Bit 7)

5.2. Bit set for a reverse connection established (Bit 6)

5.3. Bit set to perform a PING to a specific address (Bit 5)

5.4. Bit set to download a file (Bit 4)

5.5. Bit set to grab and send password sniffed (Bit 3)

5.6. Bit set to grab hashes and send (Bit 2)

5.7. Bit set to change Key Server(Bit 1)

5.8. Bit set to update code from some site(Bit 0)

6. Command Start (FF)

7. Command Length

8. Bytes – Payloads

9. Last 2 Bytes – CRC-16

Examples of a packet (after decryption) Single Command

00 02 00 0B 20 FF 08 31 30 2E 30 2E 30 2E 31 28 7E

This would translate to ping 10.0.0.1

00 02 00 0B – Single Twitter Post command, Use value 02h to select decryption key, lenth of total command is 0Bh (11 bytes)

20 – Bit 5 set so PING

FF – Start Command Payload

08 – 8 Bytes of Command Payload

31 30 2E 30 2E 30 2E 31 – 10.0.0.1 in ascii

28 7E – CRC-16

My friend Bob got his notice to upgrade to Google Voice last night and so Bob did.  After it had finished the upgrade Bob started playing with it a bit to test this new fangled feature out.  What Bob found was 1 verified FAIL on Google’s part and another one Bob is 90% sure is a second fail but no one Bob knew had a GrandCentral account that they hadn’t already upgraded to verify my test.

Anyway enough rambling on to the fails.

Fail #1:  This fail was inspired by a post by ChrisAM on the Securabit website.  Google Voice by default when you have a cell/mobile number as one of your forwarded phones will allow access to go directly into your Google Voice voicemail without entering a PIN if you call from a phone that has the callerid of your cell phone.  Now you might be saying “OK thats great, no big deal” but what happens is when you go directly to your Google Voice voicemail you can choose Option 2, which is to make an outgoing call.   Ah  now there is a FAIL.

If a malicious person spoofed the callerID of your cell phone and called your Google Voice number, they get right into your Google Voice voicemail.  Now they choose Option 2, and if you have any credit for making outgoing calls (they give you $1.00 to start with) they can now make international calls and dwindle your Google Voice credit down till you have none left.

Fix #1: Go into your settings, then phone tab and edit your cell number.  Choose the advanced options and select YES to “Require pressing star and entering PIN to check voicemails from this phone?”

Fail #2:  Please understand that this is for people NOT in USA.  Before upgrading your account from GrandCentral to Google Voice, add a forwarding number.  It will allow you to enter in a number (In my case Canada).  Then once you have added the number, upgrade to Google Voice.  It will transfer that number to your new Google Voice account without issue.  Why this is a FAIL on Google’s part is because if you try to add an international number as a forwarded phone in Google Voice it won’t allow you to.  Also the forward works (Bob has tested this) and it doesn’t charge your account for making an international call.  Bob is still at my $1.00 credit

Fix #2: Bob has emailed Google to fix their upgrade process.