Passed the CISSP Exam!

I can very happily say that I have passed the CISSP exam!

I originally posted that I first started studying for the CISSP in January, but I stopped for a couple months as I switched jobs, and wanted to be able to get acclimated with the new workplace.  Finally around April I started studying for the CISSP from the moment I got home until I went to bed.  Pretty much I spent any spare time I had studying.

My study materials included Shon Harris’s All In One CISSP Study book 5th edition, Shon Harris’s additional questions, the Official ISC2 CISSP Study guide, and a paid test subscription to cccure.org’s test questions.  While I had all these materials, the two biggest sources of information was Shon Harris’s AIO book, and the cccure.org test engine.  I believe just constant studying and constant test taking forced me to learn the material, and I was able to use it to take and pass the exam!

I sat for the exam on June 12th in Reston.  I was maybe the 5th person done taking the test at exactly 2 hours and 59 minutes into the 6 hour exam.  I walked away feeling fairly confident that I did well, and just hoping that I passed.

Waiting to find out the results is the worst.  I kept taking one small practice test a day just in case I would have to retake the test again so I could help keep it all fresh in my mind.  It took just about 2.5 weeks to find out how I did.  I was at a conference when I got the e-mail from ISC2 on June 29th.  Very nervously I opened up the e-mail, and was very very very relieved when I saw the “Congratulations”.

It was a long time studying, and required a lot of time to learn all the material, but it was well worth the effort in the end.  As of now I have passed the exam, but I will not receive the actual certification until around April of 2012.  Needless to say, I think the hard part is past me.

iPhone’s Theme It Store – How Not to Implement Security

Hello all,

In this writeup, I will be providing proof that the owner/developer(s)/company that runs Theme It has developed an insecure iPhone and web application.  The only reason I am releasing this information before a fix has been made is because the owner/developer(s)/company has ignored repeated attempts to get into contact with them.

A while ago I wrote about the web front end to the jailbroken iPhone’s theme store.  There were a number of issues that I pointed out, and some issues have been fixed.  Unfortunately, not all have, and the issues that have been still leaves your account vulnerable.

When first talking with the Theme It team, their reason for not securing their application was because “we are not a bank“.  Any business/store that performs financial transactions should ensure its customer data is secured, both at rest and in transit.

While I obviously do not have access to Theme It’s back-end database to view how records are stored, we all have access to information sent to Theme It, and I can show you how Theme It does not protect user information.  In fact, it is left clear-text for any person to sniff and steal user login information.

The Theme It team previously mentioned that “96% of its users don’t use the website” implying that they use the Theme It iPhone application.  After reviewing the information transmitted from the Theme It app to its servers, it can be said that the application has not taken any steps to secure customer data (at the time of this writing).

To test, I simply had my iPhone join a network, and then had the iPhone open up the Theme It app, and connect with my account.  What you see below is what any person sniffing traffic can see:


If you look at the information captured, you can see that nothing has been encrypted.  The “pseudo” variable is your username, “password” is the password for your account, “device_id” is the UDID for your iPhone, “device_type” would be the type of iPhone you have, and “device_os” is what version of iOS you are running on your iPhone.

Any person on the network that the iPhone is transmitting on can sniff, intercept this traffic, and use its information to take over the customers account. Point being, the Theme It app does not take any steps to secure your personal information as it is being sent.

The Theme It Store also has a website that they allow users to connect to, purchase themes, administer their account, etc.  I wrote about their website a few months ago informing users how all information that is transmitted to their server is in clear-text and can be sniffed by an attacker (this included username and password).  The web site still transmits information in clear-text that can be sniffed.  With the information that is sent to the Theme It website, any attacker is able to perform what is called a replay attack.  What this means is that I can use the information I just sniffed from a customer logging in, send the exact same information to the Theme It server, and then be logged in with full control of the customers account.  The picture below shows a successful replay of captured information on the test account I created:

To fix this issue, the easiest thing that the Theme It company can do is get a certificate which will allow a secure/encrypted connection directly to the server Theme It uses.  If the company were to purchase a certificate, it would mitigate all attacks I have shown in this writeup.

I stated in multiple messages to both @fif7y and the official Theme It twitter account that I found their application is sending everything in clear-text, and that their web application is still vulnerable due to a lack of security.  I have yet to see a fix or hear back from either.  Hopefully we can see some security updates to their applications soon.

CarolinaCon Capture the Flag Event

Over the end of April beginning of May, I was able to attend my first info sec conference, CarolinaCon.  In short, I will go out of my way to make sure that I attend the conference next year.  The talks were great, people there were fun to meet, and overall it was just an experience that I really enjoyed.  It was cool being around a lot of people who were all just very interested in security.

I participated in the Capture the Flag event that CarolinaCon put on.  I highly recommend, if possible, everyone to participate in these events because even if you don’t win, you walk away having learned a lot.

The CTF event started at 7:00pm, and I was able to capture one of the targets at 7:20pm.  It was a pretty simple attack because it was running a vulnerable service that Nessus had easily detected.  I exploited it using Metasploit and found the first flag.

The second flag I got took all day to get.  It was a web form vulnerable to SQL injection.  I spent all day trying to format the query to dump the information that I needed, however I just couldn’t get it.  It was probably a good 8 hours on and off I was working to figure out the correct syntax.  At the end of the 8 hours, I discovered a great tool called SQLMap.  With this, I was able to dump the whole database in about 20 seconds.  I was annoyed because I tried using SQLMap earlier, however it was doing URL based injections, vs. form based.  Unfortunately, I missed the –forms flag that SQLMap has, and had turned back to manually figuring it out.  Anyways, once I had the –forms flag set, it worked like a charm.

The third flag was a fun one to get.  What I didn’t mention earlier, was that when I was on the first box, I dumped the hashes.  Well, the third box was on a separate only accessible through the first box.  So I had to re-exploit the first system so I could pivot from it into the third box.  Once I setup the routing, I was able to perform a pass the hash attack using the hashes I dumped from the first box, onto the third box.  This gave me access and I was able to get the third flag.

I exploited 3 of the 5 boxes, and I ended up winning the tournament because no one else was able to exploit the two remaining boxes.  It was a really fun tournament, I learned some new tools/techniques, and it was a good time.

In short, I am really looking forward to it again next year.

IP Board Vulnerabilities

Good Morning all,

It’s been a busy past month for me, but I did happen to find a new vulnerability that exists in IP.Board.  IP.Board is basically a web application that allows you to run a forum, with the option to purchase additional functionality, like blogs, a store, etc.

While I was looking into how IP.Board works, and running some tests and scans against it, I’ve discovered a couple of vulnerabilities in the application.  At the moment, it seems to largely be information disclosure and XSRF vulnerabilities, but I am in the process of seeing if it is capable of further development  into something a little more dangerous.

I’ve already reported some of the  vulnerabilities to the developers of IP.Board, and they said that a fix has been created for their next update.  I’ll be sure to let you know once it is released if it fixes the issue.  The other outstanding vulnerabilities I want to look into as much as I can to see if it can result in a dangerous attack.  As I find out more information, and understand how it works, I will then be able to provide a better report to the developers of IP.Board (Invision Services) about the vulnerability.

I am also currently working to get a CVE number reserved for the issue for proper tracking of the vulnerability.

Themeit – Trivially Insecure Theme Store for the iPhone

Update 3: After very briefly looking at traffic sent from the browser to Theme It’s server, the password appears to be hashed, but obviously the hash is still easily sniffed.  I’ll have to look into this to determine if the site is still vulnerable via a replay attack.

Update 2: I have been in continued contact with the developers of Theme It, and I am now glad to say that the security vulnerabilities I have documented here no longer exist.  All passwords sent when logging in and updating user account passwords are no longer clear text.  The purpose of this post was to bring security issues that exist up, and ensure that they are fixed.  In the case of passwords being sent in the cleartext, they have been.

Update 1:  I am pleased to announce that this post has had its desired effect.  While the developer(s) was unhappy that this information was posted, he has actually gone back and updated the way the site handles user authentication and the user information collected.  The initial login process is no longer viewable via intercepting network traffic.  Additionally, the appears to no longer be needing a physical address associated with your Themeit account.  There is still an issue that your username and password IS still sent in the cleartext when you are already logged in and are updating your password.  This appears to be the final remaining (obvious) vulnerability still present on the site.

I wanted to write about a web application that I have found to be incredibly insecure.  Similar to the previous vulnerability I wrote about, I got in contact with the application Owner/Lead Fif7y.  However, no action has been taken to fix the issue as it still exists.

For those that do not know, Themeit is a store that has been recently developed for selling iPhone themes.  It’s labeled as being made by Fif7y and sells a wide range of iPhone themes.  However, in order to get an account on the website you have to create a username, password, but also submit a number of personally identifiable information.

When analyzing this, there is no real need for this site to collect your home address.  Since the website uses PayPal as their payment processor, any information needed (address) is sent to them when a purchase is made.  This is done through PayPal, which is secure (although this module has not been part of this analysis, it is going off of quickly looking over the application).

So why does Themeit need our address?  However, this is not the biggest issue.  The big issue is that all information sent to their server is completely in cleartext.

To repeat, themeit in no way encrypts any traffic that is sent to the server.  This can be easily seen by doing a packet capture.

The image below shows the test account that I created for logging into the website.  You can clearly see that the username and password are sent in cleartext (look below the highlighted line in the upper section).

insecure login

Unfortunately, this is not the end of it.  Once logged in, you are able to change your address or any other information associated with your account.  However, if any change is made, all the information sent to the server is also sent in cleartext.  Below is only a snapshot of the packet that was captured, however if you were to capture a packet, you would get all of the information, not just what is shown here.

insecure address information

This is an extremely obvious vulnerability, and does not require a sophisticated attacker to capture any of this information.  This can be caught in a network built on hubs, over unencrypted wireless networks, or if you are in the middle between the user and server.  Again, this does not require a lot of IT knowledge to get another persons username and password.  The simplicity of this attack is what is the scary part.

A simple remediation, which would stop the transmission of information in cleartext, would be to get a server certificate.  This would allow the information to be transmitted over https and not in a cleartext format.

Hopefully this post will get the developers of themeit to take user data security seriously and to fix this glaring hole in their application security.

A Potential Vulnerability I Discovered…

Before you begin reading the writeup, I had contacted the company who’s server contains the vulnerability and disclosed all the information I had about what I did.  Their response was that they didn’t consider it a risk, and weren’t going to be modifying the server security.  So I am taking that as a “closed” issue on their end, and I’ll at least write it up.

While trying to determine how secure the server is that I have a website running on, I found an interesting hole.  I consider user accounts to be basically half a password when attempting to access a box.  If I have a username, then I know half of what I need to know to get in.  So I tried testing to see if I could figure out the other user accounts that are on this shared hosting server a website of mine was put on.

I do have SSH and FTP access to the server, as I am a legitimate customer.  So I SSHed into the machine, and tried running the “top” command.  It returned some server stats and all user accounts that had an active running process.  However, the user accounts were not displayed.  Only the UID of the account.  Also, I was unable to view the home directories of other users as my account was jailed.  This would be good.

Then I had an idea.  I uploaded a php page that ran the same command and would return the results to the web page.  When I browsed to it, I had an unfiltered view of all user accounts on the server that had running processes.  It became clear that the “nobody” account was not jailed, and as a result, I was able to make a page that used the nobody account to run the command.  It returned all the same information, except this time it had the actual user accounts instead of just the UID.

It was an interesting find, and since the company is not considering this an issue, I figured it wouldn’t hurt to share with the world.  Enjoy, and see if you can do the same thing on your servers.

Thoughts on Sony

In case you haven’t heard what has happened, a group of hackers, called fail0verflow, recently gave a presentation that demonstrated the lack of security on Sony’s Playstation 3 console.  The team demonstrated how the attack can be performed on the system and used to discover Sony’s private key used to sign software on the Playstation.

Geohot, then based his attack off of fail0verflow’s work, was successful in finding the Playstation’s private key, and posted on his website.  For a few days, the world wondered, what will Sony’s response be?  And now we know…

Sony originally filed for an injunction against geohot and the fail0verflow team to force them to remove their tools/information off of the internet, ideally prevent the spread of the tools, and force them to stop all future work.  The lawsuit has since been updated with Sony now also seeking damages.

This court case, if it makes it to court, has the ability to set a dangerous precedent, but also a very consumer friendly precedent.  It was ruled last year that it is 100% legal to unlock and jailbreak an iPhone for use on other carriers and/or to access an app store that is not allowed by Apple.  At the moment, the ruling is only extended to the phone, but it is mine, the EFF’s, and probably many others out there who hope that it can be granted to consoles, and eventually all electronic gadgets.

The way Sony wants this to rule, it is only designed to benefit the big businesses.  I completely agree with Sony protecting its system and doing anything it can to prevent software piracy.  I am against piracy, and would just like to see the console opened up for homebrew.  However, Sony is specifically going against security researchers with this lawsuit.  Researchers need to have the right and ability to test the security of gadgets/systems/etc. and release information to the public without the fear of lawsuits. Without this, security would not be where it is today.  Without the ability to research and release, systems will stay unpatched as a result of vulnerabilities that would have not been discovered.  It would only put consumer information at risk, and protect the companies  who don’t want to spend the time properly securing their infrastructure.

Lets hope the courts can see clearly all the facts.

CISSP Begins

So I’ve just started studying for the CISSP.  I’ve been doing so for about a week now, and I am feeling very confident with all the content that I have read.  The big thing I have noticed when working to obtain all my certifications is that the material needs to make logical sense, as I am very much a logical thinker.  As long as the material is, then it will not be an issue for me understanding any of it.

Additionally, I’ve been working a lot with Backtrack 4 lately.  I’ve been playing around with a lot of the tools again and I still believe it is the best security based linux distro available.  The number and quality of tools built into it is superior than anything else I have used.  It never hurts to to have a great understanding of these tools, and I’ll continue to do so.

I purchased a couple different books to help me study and obtain the CISSP.  The first one, and probably the most popular one, is Shon Harris’s All in One Study guide.  I also purchased her smaller book that contains practice tests.  The other book I bought is the (ISC)2’s official study guide. It’ll be interesting to read through both and see which I book works best for me.  As of now, I’m going to keep working my way through the Access Control domain. and on from there!

Certified Ethical Hacker

Well, it certainly has been a busy holiday season for myself.  A significant amount of the time has been spent studying for the CEH, Certified Ethical Hacker exam.  Anytime I had free time, it seems that I would feel guilty if I just watched tv instead of studying for the certification.

Thank goodness, the hard work paid off.  I took the test last week and walked away with 87% correct, needing only 70% to pass.  It was interesting, and a little tough, but I did feel confident throughout the whole exam.  I felt confident going into it as I spent a lot of time using some of the tools that were discussed in the books I looked over, and it significantly helped to reinforce all the concepts of the books.

There were some questions that just did not seem to be covered in any of the material that I had read, which was a little surprising, but nonetheless, I was able to pass, and definitely walked away really happy.

So what’s next, I’m trying to decide.

My original goal was to receive 4 certifications, Net+, Sec+, CEH, and CISSP.  I’ve achieved three of the four that I originally wanted.  However, I am now feeling a little inclined to get the MCITP: Server Administrator.  I feel that since I’ve just been going through Security certifications, I should go ahead and continue and try to go for the CISSP next.  It wouldn’t seem to make a lot of sense to completely switch to a Microsoft certification, and then go back to a security one.  It just makes more sense to go one after another.

Well, I think that’s what I’ll do.