Intrusion Detection System with Snort

There are two files bellow first is the actual report and the other is an accompanying set of slides that gives a quicker overview of the paper.

Black Box SQL Injection Strategies Research Paper

Black Box SQL Injection Strategies – Presentation

Secure Tunnel Explained

Image credits: http://beneathesummergrowth.wordpress.com/

Many websites use content management systems like WordPress, Drupal, MidiaWiki, or OS Commerce. Whatever system you are using there is one key thing that you should know, all these systems come out with regular updates for very good reason. It is very common that new vulnerabilities are found in these systems on a regular basis. When this happens the vulnerabilities are typically reported and patches and updates are released. One of the most interesting thing I’ve learned in the last month is that the majority of attacks that occur on websites occur after the fix for the vulnerability has been released. What hackers do is they read the patch release notes to find out what vulnerabilities have been fixed then go to find ways to exploit lazy website owners who have not updated their system. The lesson here is to take your CMS updates seriously. This also applies to plugins and all other systems.

User Input Attacks

Most of the vulnerabilities found in a website or CMS are because the system dosen’t properly handle and sanitize user input. Typically a web developers primary concern is making the site work, making it secure sometimes comes later or not at all. User input attacks come when a hacker inserts special commands into a form or field that make reference to the systems database or application. This can cause the web server to reveal personal information about itself or give a hacker escalated privileges. The three main types of attacks are SQL injection, Cross Site Scripting (XSS), and buffer overflow. The main defence from these types of attacks is to sanitize the users input before it is used by the server. This involves removing any special characters that would never be used by a regular user and making sure the input dosen’t go over a specified length.

File Read/Write Permissions

Your website typically will contain many nested folders and files. If your website dosen’t allow for any user input or have any plugins or systems that have to update content dynamically then you can simply set all permissions to read only and your fine. However many systems require additional privileges on specific files or folders to be able to save and modify settings or place user uploaded images and files. Sometimes when you are setting up these systems you might get an error that it doesn’t have the appropriate permissions. When this happens either out of confusion or lack of understanding users don’t always change the permissions properly making the system more vulnerable to attacks. Additionally a number of systems just need special write permissions when they are being installed and can be set back afterwards, lets play guess the percentage of users who actually change them back afterwards. The lesson here is that if you are going to make any changes to the read/write permissions of a particular folder or file on your web server you need to make sure that you are doing it in a way that won’t compromise your website.

Vulnerable Plugins and Add-Ons

CMS plugins are typically small add-ons that allow additional functionality on top of a system. They are typically developed and maintained by individual programmers or small teams. These smaller groups usually have less resources or knowledge of the security implications of their designs than the platforms they are built on. As a result of this, plugins are much more vulnerable to all kinds of attacks. If you are really concerned about the security of your website I would avoid untrusted plugins that don’t have proven track records for being secure. The reality is that it takes time and many revisions to produce a quality plugin with minimal security risks so if this is a concern for you avoid being the ginny pig for the plugin developer.

Weak Passwords

Consider the scenario where you visit a forum with really cool information except inorder to post on the forum you need to register. After registering you make your post, go about your business and never visit that site again. Months later that site gets hacked and all of its users email accounts and forum passwords are posted on Pastebin. Now the whole world knew that you were a member of that forum and the password you used. Once this information is public what a number of individuals with malicious intent do is try that password against every known popular web system. They now try that same user name and password combination on facebook, google, hotmail, amazon, ebay, and any other system they can think of. If by chance they are able to get into your email they can now view messages of every web service you’ve signed up for and the proceed to reset all of those passwords also.

The message you should take from this is to use strong unique passwords on every site you register for. You will need to derive some sort of system or method of keeping track of all these passwords and I will touch on this a bit further in my follow up article.

Database Backups

I was browsing the google dorks section of exploit-db.com the other day and noticed a google search term that returns all WordPress database backups that were stored on servers. THIS IS VERY BAD. Now it is certainly a good practice to back up your database regularly but it is a really bad idea to store that file on your web server.

Link Building Spam

A true mesure of success for your website is how much spam your getting. I consider this a mild form of hacking because the spammers are using your site to link build their sites. Additionally some of these spam comments can contain malicious code that will redirect your users to other websites or ads. Needless to say you need to find a way to manage all the spam comments.

Client Side Attacks

Client side attacks sometimes fall under the category of injection attacks but not always. In this type of attack hackers are after the users that visit your site not necessarily the site itself. They may sometimes use an injection attack to embed an XSS (cross site scripting) attack to direct users to a webpage that they may think is your site when it is actually a modified or fake version of it where they are then able to steal your users login credentials, browser session or cookies. This type of attack is commonly referred to as session hijacking. In this type of attack a hacker may not be able to login as the user but it would be able to convince the web server that it remembers that the hacker is already logged in as the user.

Brute Force Attacks

Does your web system prevent users who enter invalid passwords from retrying over and over again? This common weakness is what allows some some attackers to basically run scripts that attempt to crack your password over and over again. A smart attacker would bypass the user interface level and work at the packet level to flood your server with login attempts with various username password combinations and measure how the server responded to these requests to see if it is able to find out any passwords. Your system will need to be set up to refuse requests after a certain number of failed login attempts. Sometimes this attack masks itself as a Denial of Service attack but that is usually just a symptom of the attempt to brute force attack your website.

Denial of Service Attacks

A denial of Service attack is basically any attack that takes your website down.Denial of Service attacks are just annoying but if you’re a big company the negative PR can be a nightmare. One common method is when an attacker decides that they are going to essentially reload your webpage over and over again a couple thousand times a second. This overloads the server causing it to be unable to handle legitimate user page requests.

There are many other variations of this attack some of which come from weaknesses in your server that you need to watch for. Bellow find a flow chart I recently made for one of my Web Security class that outlines some of the types of denial of service attacks that can occur on your system. There may be more methods that I haven’t mentioned in this diagram so if you have anything meaning full to contribute please post a comment.

Image Describing the various types of Denial of Service attacks and Vulnerabilies

Lately I’ve found myself checking the same IT Security sites over and over again. In many cases I find myself checking them more then a couple times a day. Heres a round up of all the IT related sites I use as resources regularly. If you know of any other resources that are similar to this post please feel free to post a comment and I will update the list.

Exploit-db.com

There are plenty of databases online that index security vulnerabilities. This site however indexes the vulnerabilities with known exploits. Often when I read about a particular vulnerability I find it difficult to invision how it might be used to attack a system. With this database you are able to see how someone else took advantage of a particular vulnerability. I find it much more informative and educational this way. A very interesting sub-section of this site is the Google Dorks section. http://www.exploit-db.com/google-dorks/. This section contains all kinds of interesting google search terms that will return a wide variety of information pertaining to various servers and websites that google has indexed.

Securitytube.net

I am a big fan of hyper-niche video sites and this one is one of my favorites. Security Tube has a tight nit active community of security professionals that regularly share their research, techniques, and exploits. The website owner Vivek Ramachandran has also produced a number of his own videos. Vivek operates a certification program for wireless network security and another for Metasploit certification that is available through his website. The great thing that Vivek has done on this site is that all of his tutorial videos for the online courses are available for free. It should also be mentioned that the content is also available to university’s as one of my readers pointed out. I do plan on taking the courses eventually but my plan is to watch and try out all of the videos for the courses first. These videos on their own make the site extremely valuable to anyone interested in IT Security so be sure to check out Wireless LAN Security and Penetration Testing Megaprimer and the SecurityTube Metasploit Framework Expert (SMFE) Course Material.

pastebin.com

I am always pleasantly amazed by the random pieces of information I find just browsing the recent posts section of this website. For those of you not aware Pastebin is basically an online clipboard that allows you to paste text content and make it available publicly via url. Pastebin gained a lot of popularity last spring as some of the big website hacks that were going on posted all of their database dumps on Pastebin (lulzsec, anonymous, sony etc). Now it seems that almost everyday another hacker is posting information about what they’ve done and many news and blog articles are regularly sourcing these pastebin posts.

thehackernews.com

There are many news reports out regularly about all kinds of events in hacking. Rather then looking at large news outlets I prefer this niche site for hacking specific news. I find that The Hacker News is very frequently updated and informed with a full range of content. This site typically has 2-3 new posts a day about all kinds of news in hacking and I am most impressed by the amount of international stories that they cover from all over the world. This is also a good source to find out about new apps and tools that are being used in the industry today.

http://www.oxid.it/ - Cain and Abel

This windows based tool (don’t stop reading yet) is the subject of some of my masters research. It has a full range of functions that make it a very versatile tool. It’s primarily popular for some of its man-in-the-middle attacks mainly its ARP poisoning attack. In addition it is also decent at finding and cracking windows admin passwords. It also has a full range of possibilities that don’t have a lot of information published on it. I’ve heard of some of my students using it to packet flood people they are playing against in Call of Duty or other peer to peer network games to perform a denial of service on them. I’ve also heard but not confirmed that it can be used for intercepting voice and video communication. The tool itself is worth checking out, if you’ve done anything interesting with this tool please post a comment and share it with me.

backtrack-linux.org/

Back Track is the definitive resource for anyone who is serious about IT Security. This is a linux distribution that comes ram packed with everything you might need to evaluate and penetration test a network. I run my version in a virtual machine on top of my primary OS but you might choose to dual boot it or install it on a spare computer. The challenge with this system is figuring out where everything is and how to use each tool but with a bit of reading in the -help files and forums you should be able to figure most of it out.

wireshark.org

In monitoring any network one thing I’ve learned is that packets don’t lie. It is sometimes difficult to filter down to the information you are after but if its transmitted across a network then the data is there somewhere. Wire Shark is one application that every security professional uses to see exactly what is going on in a network.

https://www.torproject.org

I could probably write an entire article on this web browser, in fact I probably will. For now though the best way to describe tor browser is that its a browser that lets you bypass any firewall to browse facebook or any blocked site from anywhere. How it works is a little interesting. In a typical browser if you set up a proxy you are making one connection from your computer to the proxy server then the server to whatever site you are going to. This may help you get around a firewall once but a lot of firewalls detect individual proxies or sites that list them also in terms of traceability its easy to trace route back to your ip. The tor project is a little different from the traditional forms mentioned, it actually encrypts your traffic and routes it through a number of proxy relays that allow you  transmit your data securely and browse anonymously.

Again if you have any links that you feel should be included in this list please feel free to leave a comment and include it.

This is an obvious scam but I am certain that they find a new sucker every hour and that this is how some hackers have bot nets of over 30,000 computers.

For a full detailed explanation of this Phishing Scheme check out this link http://www.guardian.co.uk/world/2010/jul/18/phone-scam-india-call-centres

The short version of this story is that I get a phone call from a guy with an Indian accent saying that he’s calling about my windows PC. Knowing full well that this is a scam as I have heard stories of this scheme from some of my students just never actually got the call myself, I decide to play along long enough to get some info on what he’s actually doing. Also figuring that the longer he’s talking to me the less people he can talk to who may be less knowledgeable about this scam.

To his opener of “I’m calling with regards to your windows PC” I reply with “which one?” Thinking that if he knows I have more then one computer at my house he might start salivating at the thought of getting multiple computers from one call.

He begins to tell me that he is from Microsoft and that they have been noticing viruses being transmitted to and from my computer.

He directs me to this website http://windowsonlinesupport.com/  WARNING DO NOT DOWNLOAD ANYTHING FROM THIS SITES LINKS OR FILL OUT ANY INFORMATION.

Now he gets me to read off what I see on the site to make sure that I am on the right page. When I read the icons out in his most enthusiastic voice says “YES!” (he uses the enthusiasm to trigger an emotional response and positive reinforcement for doing a good job).

At this point I want to take a closer look at the site itself. In the top right there is a login screen made to look like an msn or hotmail login screen that people are used to . The point of this icon is to get people to login using whatever default login they usually use, giving the phisher all access to whatever email account you use regularly.

There is also some icons used to get customers to sign up for their service. What service they provide beyond maxing out all your credit cards is not clear by the site.

From reading some other articles if this caller is successful in installing enough viruses and remote control software on your computer to render it useless they then insist that they pay you for the service they’ve just provided for you.

At the bottom of the page is where the real dangers lie. The above icons point to remote control software that undoubtably laced with an assortment of viruses. One virus to take control of your computer, one to block all other anti-virus programs, one to change all your web searches so that instead of displaying your search results you get ads so they make money. Also now that they have your computer as its slave they can use it to do various cloud computing tasks like DDoS attacks and mining for bitcoins.

Proving its a Scam

If you do a domain name whois lookup for the site claiming to be Microsoft and it comes back to say its hosted on a Godaddy server its definitely a scam. And heres proof :  http://dawhois.com/siteinfo/?query=windowsonlinesupport.com

On a side note it also shows that they have owned this domain and presumably been in operation for over a year.

Why bother?

The question I get is why would anyone spend this much time and money just to put a virus on your computer. Well to answer this lets dissect their business model a bit. Here I use simplified numbers based on my best estimates based on my experiences. At this time I don’t have enough sources to properly site the reasoning behind the numbers you will just have to trust my experience to get an ideal of the scale of these sort of operations.

The cost to set up a site like this is relatively low. 5-10 Dollars a month for web hosting, $10-20 a year for the domain name and $3-4 an hour for someone in a call center to call the phone book in a particular area. So lets say you start off with an operating budged of $200 for your first couple of months.

In this time you could afford almost 40-50 hours of cold calling. Considering that a call center operator could call 100+ people an hour (just an estimate). They could potentially attempt to reach 4000 + people in a week. (In my opinion these numbers are just low ball estimates and in reality are probably much higher).

The next question is how successful are these Phishers? Assuming they attempt to contact 4000+ people how many of them will they be able to scam into installing the virus on their computer? 1,5,10,50? My best guess would probably be more then 10 but less then 50 although a number as high as 400 would not surprise me in the least.

So lets say they are successfully able to infect 25 computers. They now effectively own these 25 computers and can do whatever they want with them. A popular thing to do with these infected computers is to set it up so that the most popular search engines (google) display a fake version of their web browser. The script will still display search results except rather then displaying genuine search results they will display ads disguised as search results so that if you click on them the people who infected your computer will make money. So going back to our 25 infected computers example, even if the user was tricked into clicking an ad once a day for the low click earnings of 10 cents per click (low ball number by most estimates). These computers if infected for over a month could result in 80 – 100 dollars a month (again extreme low ball estimates as most ppc ads can get much more then 10 cents per click and some of these virus can easily turn out 5-20 clicks per day).

Another popular use for these viruses is to help farm/process a virtual currency called BitCoins. Using the infected computer to process encrypted transactions results in a generation of a virtual currency for the person who processed the transaction. This can be quite profitable if you have a decent video card installed on your computer for the virus to make use of. Conceivably 25 computers working together could potentially generate 20-50 dollars a month if not more (depending on current exchange rate).

If you also consider the fact that if they observe your computer long enough while infected and they capture all your login information for websites, email, banking, and paypal etc. They could of course rob money directly from your bank account or use your credit card information to purchase items.

One of the less obvious uses of having a network of computers is a Distributed Denial of Service attack. Basically if a computer hacker has a network of computers available to them they can instruct them to visit a target website all at once. If you send 10,000 website request all at once repeatedly users that legitimately want to access the site will be blocked by all the other requests.

Once this scam is set up on a small scale it is really easy to just hire more people to do the calling. As a result of this scam its not uncommon for a hacker to control more then 30,000 computers in their network. Once these networks are set up the hacker can now rent out their network to people who wish to spam computers for whatever purpose.

I tried to write this in article in a way that simplifies some of the concepts. If you have more details or information to add I would love to hear about it. Also if you have received calls like this please share your experience and provide the link of the site that they directed you to.

All three parts will be available at the following links:
Part 1 – Creating the Soft Blur Effect
Part 2 –  Silky smooth skin in photoshop
Part 3 – Increasing the background blur in macro photography

Disclaimer: Before I begin on this tutorial I should first explain why you would want to use this tutorial.First of all if you are an experienced photographer you can achieve this effect with your camera and probably don’t need this tuturial. The typical macro shot contains an object in the foreground with a very short depth of field. As a result of the very narrow depth of field the background ends up being blurred. A trained photographer can easily accomplish this task but for a beginner or someone with a typical point an shoot camera you don’t always achieve the exact intended result. Also macro lenses can be expensive. Luckily theres a way for you to compensate for your lack of camera skill or quality camera with a quick photoshop trick.

Here you can see the original image as you can see the main focus is the bear itself and its eyes and the background is only slightly blurred. In this tutorial we are going to increase the amount of blur applied to this background.

First step as always is to duplicate the original layer so that you have something to work with with out messing up your original. Right click on the background layer and select duplicate layer. Name this new layer blurred background.

With the Blurred Background selected go to the top menu and select Filter-> Blur -> Gaussian Blur.

Now apply a blur filter on this layer. The amount of blur will depend on your image and its resolution. Anywhere from 3-10pixels should give you quite a significant amount of blur.

Now we are going to create a vector mask so that we can apply the blur effect just to the background and not the whole image. With the new layer selected click on the add new layer mask icon from the layers window.

For the next step ensure that you have the vector mask on the blurred background layer selected. This is a common mistake that people make so ensure you have the correct part of the layer selected. You should see a box outlining the vector mask like so.

There are two options you have next. Depending on the scale of your foreground Item you can either paint that item in black to remove the blur or fill the mask with black and then pain the background where you would like to blur in white. Either way you go you sure use a large fuzzy brush to paint softly around the edges of your foreground object. When you are done the mask should be black where you would like the image to show through to the sharp image bellow and white where you want it to be blurry. If you find that your gaussian blur effect was too strong you could reduce the opacity of the mask layer until it meets your liking.

Here we have the finished product image.

All three parts will be available at the following links:
Part 1 – Creating the Soft Blur Effect
Part 2 –  Silky smooth skin in photoshop
Part 3 – Increasing the background blur in macro photography

This image dosen’t really have any major imperfections but I’ll show you how you can improve the look of the skin. Here is the original image.

First thing I always do in photoshop is duplicate the original layer so I can preserve the original image for comparison later (or if I mess up). Do this by right clicking on the background layer and clicking duplicate layer. I’m going to name this layer skin touch ups.

On the skin touch ups layer I’m going to use the spot healing tool to remove any freckles or pimples. Try to avoid touching up around any natural lines that make up the composition of the subjects face. Select the spot healing tool and set it up with a soft brush just slightly larger then the size of whatever you want to remove (pimples, freckles, scars, etc.). Make sure the hardness is set really low (0 is ok).

For major touch ups you can also use the patch healing tool but I’m not going to go into that here. The spot healing brush essentially takes an average of all the pixels around it and blends it together. To touch up a pimple or freckle simply dab the brush with the pimple in the center of the brush. Here you can see the result of some small touch ups see if you can pick out the differences.

At this point I am going to duplicate the touch up layer. Name the new layer blur mask. At this point you should have 3 layers: The original background layer; the touch-ups layer; and the blur mask.

With the blur mask layer selected go to filter -> blur-> Gaussian Blur. Now like in the last tutorial the amount of blur that you will actually apply to the layer depends on the resolution of your image. You may have to play around with it a bit but probably somewhere between 2-10 pixels of radius will do. You want to blur the skin/ face without loosing too much of the image detail.

At this point we are going to use a layer mask to only allow the blur effect to be visible in certain area’s i.e. the skin. I tell my students to think of this like a window your are going to paint black and only chip off the pain the area’s you want to see through.

To add a layer mask select the blur layer and click on the create new layer mask icon.

With the paint bucket tool paint the mask portion of the blur layer black. Be extra careful not to paint on the actual blurred layer. The image should go back to its original resolution without the blur and the mask on the blur layer should go from white to black. Essentially you have just painted the window completely black on the blur layer so you can’t see any of the blur effects.

Now we are going to paint in white on the layer mask the areas where we want the skin to be blurred. Grab a big fuzzy brush with white as the foreground color. Be sure that the mask is selected and not the blurred image layer. Now paint anywhere there is skin that you want to make smoother. You can grab a smaller brush to reach some of the more detailed areas and if you make a mistake you can just paint over it in black and try again.

Sometimes if the blur effect was too strong you can regain some of the detail of the image by adjusting the opacity of the blur layer.

An interesting view of what the mask you have just created can be viewed by hiding the other layers.

Finally here we have the finished product.

I hope you enjoyed this tutorial. Thank you to Mr. Medd for volunteering to be in this tutorial.

All three parts will be available at the following links:
Part 1 – Creating the Soft Blur Effect
Part 2 –  Silky smooth skin in photoshop
Part 3 – Increasing the background blur in macro photography

Part 1 – Creating the Soft Blur Effect

This effect is commonly used in wedding photography to give your images a whimsical and dreamy feel to them and its really quite simple to accomplish.

Today I am going to be using a picture of my wife on a fairy on London River Thames.

Start by duplicating the layers of whatever image you are going to work with.To duplicate the layer simply right click on it from the layers window and select duplicate.

Now select your new layer and apply a Gaussian blur to it. To do this select the filter menu from the top menu, then choose Blur -> Gaussian Blur.

The amount of blur you apply to this image will depend on the quality of the image. My image was taken on a digital slr at the highest quality setting so my images are all quite large. For lower quality images you would apply less blur. Play around with the sliding scale until you have a enough blur to slightly blur your image without loosing to much of the detail.

After you blur the image should like pretty fuzzy. From here we are going to blend the blur effect with the original layer. To do this simply adjust the layer opacity to anywhere from 40-60% or until you get your desired effect.

Finally here is the finished image. Some editors add additional blending options to the blurred photoshop layer but I am not going to get into that with this tutorial.