Making Security a Common Sense

Ever wondered what is this “Free Public WiFi” or “Free Internet Access” wireless network visible in most of the places?

These are known as Viral SSID, don’t expect it to be a free access to internet

Is it a virus, why doesn’t my antivirus detects it?
Its not a computer virus kind of thing which will be detected by Anti-virus, but still it is “Viral SSID” cause its spreads like virus

What is Viral SSID?
Like virus spread from infected computer to healthy one, a viral SSID spreads from an infected wireless-enabled computer to another. That’s why Viral SSID is the network name for ad-hoc (laptop to laptop) . See the icon next to it in the window carefully

How does this Viral SSID Spread?
The culprit here is “Wireless auto configuration utility” of Windows.

Whenever a user connects to wireless network, its SSID is added in a list of known network names, this list is called the Preferred Network List (PNL). This list includes the viral SSIDs to which a user may have connected (by greed ) or in fact, a user need not manually connect to a viral SSID for it to be added to the list. In certain auto-configuration utilities, there are options where a user can choose to connect to any network in vicinity whether it is ad-hoc or belongs to the infrastructure type.

When the user moves to a different location and starts the computer, the wireless auto configuration utility tries to look for the SSIDs stored in the PNL. When it doesn’t find any infrastructure networks mentioned in this list, it starts looking for ad-hoc networks stored in the PNL. If it finds one, it connects to the host displaying the corresponding SSID. However, if it does not, it becomes the first node of that ad-hoc network and starts showing the viral SSID.

If an unsuspecting healthy laptop is searching for wireless networks in vicinity, it will see the advertised viral SSID in its list. If the laptop is configured to “Connect to any wireless network” as it comes in range, it will attach itself to the respective network. The connection can also be made when an unsuspecting user manually connects to an advertised viral SSID. As soon as this connection is made, the viral SSID appears in the PNL of the healthy laptop and thus gets infected.

Why tempting names such as “free internet access”?
This phenomena of viral SSID started with generic names such as “default” or “<vendor name>” where the same SSID was in infrastructure mode (access point) as well as ad-hoc mode (peer to peer).

These lucarative named viral SSIDs could have been deliberately created by malicious intent where the attackers knew that the clients would be tempted to connect to this SSID if they didn’t find any infrastructure netowrk. Its a kind of social engineering, attracting the victims.

Should someone worry?
Answer is Yes, if your machine is searching for a viral SSID, an attacker may have setup his/her machine to advertise that viral SSID and connect to your machine. The same is true if your machine is advertising it. Once the connection is made, the attacker can use various means to attack your computer and get the information he/she requires.

The mildest form of attack could be stealing information from your hard disk. The attacker can also become a man-in-the-middle routing all your Internet traffic through itself and observing/modifying all your data. Your passwords can also be stolen in this way.

So how to protect yourself?

(a) First and foremost, avoid the temptation to connect to such networks, no one is giving you free internet there
(b) Disable auto-connection or advertisement for ad-hoc networks in your wireless auto configuration utility
(c) In windows XP, ensure that you have selected the “Access point (infrastructure) network only” in the “Advanced” configuration of Wireless Network Connection Properties.
(d) If you ever do connect to such a network (even by mistake), clear it from your PNL.
(e) If you need to connect to a peer device, make sure of the identity of that peer device before connecting.

Adam Boileau, a security consultant based in New Zealand has released a tool that can unlock Windows computers in seconds without the need for a password.

Adam uses firewire port (IEEE 1394) to gain a read/write access of the RAM of a locked and password protected computer.

To use the tool, hackers must connect a Linux-based computer to a Firewire port on the target machine. The machine is then tricked into allowing the attacking computer to have read and write access to its memory.

Checkout Adam’s website for more details. http://storm.net.nz/projects/16

I just stumbled accross this nice website

http://bcheck.scanit.be/bcheck/index.php

You can use the test to scan for vulnerabilities of your browser. As of now they have 13 tests only, but its worth doing a test.

1: Zombie storm attack

Botnet is a group of “zombie” computers controlled remotely, to craft attacks. The most common ways to make a computer zombie is by virus, and exploits on unpatched vulnerabilities. Botnets are not a new concept; they have been around for sometime. But attacks from botnets are expected to grow this year. Some attacks we see from zombie networks include Denial-of-Service attack, Spyware, E-mail spam, and Click frauds.

2: Web2.0 and SaaS attack

More and more software-as-a-service websites are coming up these days (like salesforce.com, Google docs, Spreadsheet, and so on). They will get more attention from attackers. Many of these hold your important personal/company information and that’s juicy information for attackers.

3: Parasitic attackware

These might look like legitimate and branded applications, but are infected by attackers and redistributed (similar to Firefox extensions). Fake shareware distribution sites might distribute legitimate but infected programs online. The Victim would, for example, think that they are downloading legitimate Adobe Acrobat Reader from a ‘xyz’ site (not parent site of the product). However, this site might have parasitic attack software patched onto it.

4: iPhone and smart phones

iPhone is expected in India this year. We can anticipate many attacks on the iPhone and other smart phones we see these days. These might get infected over GSM or some other malicious website. With the popularity of smart phones like HTC, Blackberry and so on, people are increasingly using internet on handheld devices. We haven’t seen antivirus products emphasizing much on theme.

5: Attack from your pocket

We can expect attacks being launched from new age phones and handheld devices. Most of the handheld devices these days have wireless connectivity, and Linux or windows as the operating system. We will see a trend of hacking tools on these devices which can be used for attack. Attackers know how easy it is to create an attack toolkit on a Linux based phone. We are also witnessing a trend in tools that can assist malicious acts from handhelds. Normal phones these days are more powerful in processing as compared to the first generation of computers we stared using.

6: Attack on Govt. websites

In the recent past, we have observed cybercrooks trying to hack Govt. and bank websites. Latest in series was the ‘Govt. of Maharashtra’ website. We can expect increase in the trend of hacking into Govt. websites. The need of the hour is to secure such websites and manage them properly

7: Phishing: Majorly targeting SSO based services

We are moving towards one username, one password, and many services kind of architecture, just like Google. It’s commonly known as single-sign-on (SSO) in the IT industry. We can expect malicious websites offering some services which pretend to, for example, use Google Auth API where you could avail the service under the Google services umbrella. It will look legitimate but the attacker might get away with your crucial information. This can directly relate to financial loses as well. We have seen a lot of people using Google checkout to shop. Attackers might try to take benefit of this fact.

8: Social networking websites

What with the way social networking websites are booming these days, we can expect more and more crime on that front. As of now identity theft is growing through these sites. Pornography might grow a great deal on these channels.

Attackers might also use these sites for mining data about people, fetching information that people share and use it to “authenticate” their attacks.

9: Lucrative websites

Fancy looking websites of greetings, gaming and cyber pornography has been a good source of attacks in the past and the same will continue in 2008 also. It targets the mentality and emotions of people to serve its purpose, and the same will remain a prime method for adversaries in future too. These might be used to spread malwares and steal financial or personal information.

10: Wireless attacks

The wireless medium is getting popular in India these days with cheap and affordable devices. But people are ignorant about the security aspects of the wireless. Wireless attacks are on a high prowl in the west where companies have incurred losses in millions. We will see a rise in wireless attacks in India too, if people are not educated in time.

What should a common man do to be safe?

There are a few things a common man can do to be secure online. Many of these have been told again and again in past, but people do not take it that seriously

a) Use genuine software

b) Update all the software with latest patch issued by the vendor

c) Use a good antivirus and antispyware tool

d) Keep antivirus antispyware updated

e) Use a good desktop level personal firewall

f) Abstinence: Avoid temptation of downloading anything and everything.

g) Open email attachment from trusted source only

h) Do not give too much personal information on public websites

i) Double check before using any executable, verify the integrity and the source.

j) Download software from trusted websites only

k) As far as possible use HTTPS and other encrypted protocols.

l) Never ignore any warnings, read them carefully & try to understand the reason behind it

m) Use best security practices to secure your networks, wired or wireless

n) Use smartphones responsibly.

Yes you read it right – No steganography software

So here is a quick howto on doing image steganography with common tools, no specialized software.

1: Compress the file you want to secure( I tried both rar & zip), say secure.zip
2: Take the image file which you want to use, say image.jpg
3: run the following command
copy /b image.jpg + secure.zip hidden.jpg
4: Double click hidden.jpg & you’ll see the original image
5: Open the file in archiving utility (I tried winzip & winrar)
6: It will open the content of original secure.zip

Analysis
copy commands copies the content of both the files into a third file
The third file starts with the header of an image & even the extension is of image, so the OS (tried KDE & GNOME in case of Linux) interprets it like an image & shows the image, that too without any distortion or noise in the image.

/b option indicates binary operation & takes care of any possible goofup.

PoC
For PoC & original blog entry check
http://rohit11.blogspot.com/2007/05/steganography-easy-way-no-steganography.html

***Cross Posted on my personal Blog***
http://rohit11.blogspot.com