Posts Tagged ‘SamuraiNet’

« Older Entries

psych0tik IRC downtime and updates

Monday, June 14th, 2010

As you may have noticed, the pyshc0tik IRC’s primary domain name no longer points to the correct IP address. On May 29th a reboot of Samurai’s router caused a new dynamic IP to be assigned and resulted in the old DNS zone to going stale. We’ve had some issues with getting our DNS entries updated and are working to find a more stable solution, but in the meantime you should still be able to access the IRC via the temporary backup domain: rogue.samurainet.info. The IRC is still on port 6697 and requires SSL.

In addition to our DNS issues, you may also have noticed subtle changes in the blog’s organization. We’ve restructured the menu, removing all the old SamuraiNet Archive sub-categories, to make room for psych0tik categories. Some of the psych0tik posts have moved to newly created categories and all posts have been re-tagged to be more searchable. Samurai has also been kind enough to go through and update a few of his posts in the archive, either correcting known issues or noting dead projects. We’re hoping that these changes to the blog will make it easier to find what you’re looking for.

One of the changes we haven’t been able to implement on the blog is getting a custom psych0tik theme. While we will eventually get to this item, it’s definitely not a high priority on our to-do lists. If you’d like to donate some effort and create a psych0tik theme for WordPress, leave a comment below with your email address and we’ll get in touch with you. For your effort’s we’ll offer you a link on our “prestigious” affiliates category.

The proxyElite project is undergoing some final alpha testing (and a few last minute additions/tweaks) before we release it for public beta. We’ve revived the functionality of the previous version of this project and added some new features and techniques. Keep an eye on the blog for the release post in the next few weeks.

Finally, we still don’t have a WWW set up yet. We’ve hit a few small snafus and have been too busy to sort out what should be simple issues, until recently. We’re back on a roll and will hopefully have our main site up soon.

~psych0tik staff

Tags: , , , , , , ,
Posted in psych0tik News | 1 Comment »

proxyElite moving to psych0tik

Friday, December 18th, 2009

Those of you who’ve followed this site for a while may remember the proxyElite project that richo and I started a few years ago. The concept was to provide a list of fast, working, stable proxies by constantly checking the status of a large list and using some backend algorithms to help determine which proxies would be best.

The project eventually fell to the side because of lack of resources as the weak little shared host it was running on just couldn’t handle the load of checking thousands of proxies every hour and the lists grew too stale too quickly.

Now, with the creation of the psych0tik network, we’re reviving the project. The web application will be moving to a new server, one that can handle the load of the look ups. Beyond simply reviving the project as it was when we left off, we’ll be reworking the code, adding new features, and working to make the list even more reliable.

Stay tuned while we get things moved and restarted and you should be seeing this in the new year.

Tags: , , , ,
Posted in SamuraiNet Archive | 1 Comment »

The password problem

Friday, November 27th, 2009

Odds are good if you’ve reached this blog, you have an account on at least one website somewhere on the wild wild web. This account could be on a web application ranging from something as critical as a finical institution or your primary email account to something as trivial as your account on some random blog. I’ve got far too many to even be able to number, falling everywhere in between those two lines, and have created my fair share of passwords. Normally, this is the point where the blogger starts ranting about “longer passwords” or “use a passPHRASE” or “use special characters.” This time however, I’m pointing the finger at the application designers.

Originally, this post was going to be little more than my frustration with not being able to use passwords that I desired, due to restrictive requirements on applications. After gathering some data, to have a soap box to stand on, I realized that some of these “requirements” actually go beyond the surface level annoyance and actually affect the security of your account directly. Some of these applications go as far as to actually prevent you from using a secure password or reveal other weaknesses in the application’s design. I’m sure this isn’t a new find by any means, but some of the “requirements” I’ve seen are pretty outrageous. The most startling bit is a good majority of the examples I’ll be using in this post have come from accounts falling into that “critical” category.

Before I go on and discuss the various “vulnerabilities”, I’d like to note that the list below is definitely not a comprehensive list of all web application password vulnerabilities. Rather, everything below was gathered from requirement messages listed at the time of creating the password and other things I noticed while creating the account. The purpose of this list is to explain each issue, on both a technical and non-technical level, as well as to provide recommendations for end users encountering each. Examples used here are gathered from live, current web applications to represent the current issue as well as to provide real world examples as teaching tools for detection.

Restrictive Length

This was probably the most prevalent poor password requirement I came across, which is odd to me as I’ve never seen any reason to restrict a user’s password other than to require a minimum length. Despite this, we see the following types of messages all across the web:

Password must be 6 to 8 characters in length

Please enter a password that has a maximum length of 12 characters

By reducing limiting the number of characters a password can contain the number of possible passwords, the keyspace, is also reduced. This means that a malicious user who is either brute forcing the application or has obtained a copy of the hash and is cracking it has to check a smaller number of passwords.

Other than simply restricting length through verbose and obnoxious warnings, some developers will simply truncate your password. In some situations, this truncation happened through an html attribute defining the maximum length of the password creation field as well as the login field. This double-combo actually makes things worse as it may be some time before you notice that your 23 character password is being cut-off at 12 characters.

Restrictive Character Set

I can almost build a case for these requirements. Almost. I’ve spoken with developers who have restricted characters allowed in your password by the same rules they disallow characters for SQL injection blocking or cross site scripting prevention. In other cases, I’ve seen character sets reduced by case-insensitivity.

Contain no spaces or special characters (eg <, &, >, *, $, @)

No spaces or invalid symbols

Contain 6 to 8 characters – at least one letter and one number (not case sensitive)

In these examples you can see developers trying to limit their attack surface by preventing any sort of attack on their application through the password field. Where this argument breaks down is, a proper application should be one-way hashing the passwords. When the password is hashed these special characters are eliminated and thus rendered safe.

In the third example, you can see that the keyspace is reduced even further by removing 26 characters, either the upper or lower case letters. At the same time they have reduced the keyspace characters to 36, they’ve also limited password length on both the upper and lower end.The combination of these two restrictions effectively reduces the keyspace from 218,340,105,584,896 (8 characters, upper/lower-case, numbers) to 2,821,049,441,280 (6-8 characters, case insensitive, numbers), just over 1% of the password possibilities.

Defending yourself

In many cases, when you come upon a web application as inherently insecure as the ones listed above it’s probably best to simply walk away and not bother with it, however; there are cases where you may need to create and use and account. It’s possible to mitigate some of the risks of restrictive passwords by paying attention and adjusting your password accordingly.

Probably the greatest risk of the issues outlined above is the possibility of your password being compromised by another user. As it’s impossible to create a stronger password than the application will allow, this reduces our options drastically. I suggest creating a couple passwords and then group accounts into “security levels” based on their requirements. By having multiple passwords and using them on web applications with varying levels of security, you can ensure that a compromise due to one of these poor password policies is limited to a password only used on other such sites.

Detection is important because without it you aren’t able to correctly classify the security level of the application’s password policies. Beyond simply looking at the requirements listed, a complex password designed to trigger applications with poor password management to fail can be used to test the application.

#th!$iSaG<><>|)’test–p@ssword”!*

The password above can be used to test applications. By including common SQL injection characters, cross site scripting characters, upper/lower case, numbers, commonly denied symbols and a length 33 characters of  you can test the whole array of restrictions. Beyond simply testing the restrictions, it actively tests the application for SQL injection potential. The ‘ and ” characters included in the password are designed to trigger SQL errors if they are not handled (either by hashing or SQL character stripping.) An application that throws an error on this password should actually be considered significantly less secure.

Tags: , , , , ,
Posted in SamuraiNet Archive | 1 Comment »

My new friend Larry…

Saturday, November 21st, 2009

Today while I was working on reorganizing some of my wiki, I received an unexpected message from a fellow internet user, a friend going by the name of “Larry.”

Below is my conversation with Larry, who refused to give even the most basic information. How he got my screen name, for example. His business seemed to be getting my credit card number, location, and even assistance in hacking!

I look forward to my next chat with Larry. He’s a nice enough guy, just a bit hard to understand.

[4:02] <icando ike> icando ike wants your attention!
[4:02] <icando ike> hi
[4:03] <icando ike> how are u doing?
[4:03] <icando ike> It larry
[4:03] <icando ike> Longtime
[4:03] <samurai> i think you’ve got the wrong number bub
[4:03] <icando ike> Lolz
[4:03] <icando ike> What do you have?
[4:04] <icando ike> Do you have CC?
[4:05] <samurai> why do you need to know that?
[4:05] <icando ike> I need it
[4:05] <icando ike> Dont you hack again
[4:05] <icando ike> ?
[4:05] <icando ike> Let me know
[4:06] <samurai> no
[4:06] <samurai> are you some sort of scam artist?
[4:06] <samurai> because you really suck at it
[4:06] <icando ike> okay Dude
[4:06] <samurai> im not giving you a CC #
[4:07] <samurai> im not helping you hack anything
[4:07] <icando ike> i see
[4:07] <icando ike> So what do you do now?
[4:07] <samurai> currently, i heard sheep
[4:08] <samurai> rough economy. gotta get work wherever you can man
[4:08] <samurai> thank god sheep are too dumb to sort things out for themselves… we’ll always need shepherds
[4:09] <icando ike> Thank right
[4:10] <samurai> so, unless you have some sheep
[4:10] <samurai> that need managing
[4:10] <samurai> i dont see that we have any further business together, larry was it?
[4:13] <samurai> are you a bot or a person?
[4:14] <icando ike> A person
[4:14] <icando ike> Where do you stay right?
[4:14] <samurai> where do i live?
[4:15] <icando ike> yeah
[4:15] <samurai> in an apartment
[4:16] <icando ike> I see
[4:16] <icando ike> Where are u Located?
[4:16] <samurai> you dont need to know that
[4:16] <icando ike> Lol
[4:16] <icando ike> You speak to me in a mannerfull way
[4:16] <icando ike> I need to know
[4:17] <samurai> why?
[4:17] <icando ike> Why??????????????
[4:17] <icando ike> Dont you read what i type
[4:17] <icando ike> ?
[4:17] <samurai> i did read what you typed… but you didnt give a reason
[4:18] <samurai> you’ve just demanded to know my location
[4:18] <samurai> i have no clue who you are buddy
[4:18] <samurai> or why you’re talking to me
[4:20] <icando ike> I see
[4:20] <icando ike> You seems to be a Pretender or what
[4:20] <icando ike> You are a Hacker,and we deak together as well
[4:20] <icando ike> Suddenly you never show up here
[4:21] <icando ike> I was lucky i found you today
[4:21] <samurai> show up where?
[4:21] <samurai> online
[4:21] <samurai> ?
[4:21] <icando ike> yes onine
[4:21] <icando ike> Then i told you i need Stuff
[4:21] <samurai> how did you get my screen name ?
[4:21] <icando ike> You saying things i dont Understand
[4:22] <icando ike> Guess you Dude,Seem you dont Read what i type
[4:22] <samurai> i like you larry
[4:22] <samurai> you make me smile
[4:23] <icando ike> Thanks Andrew .dude
[4:23] <samurai> ;)
[4:24] <samurai> so you’re a hacker?
[4:25] <icando ike> Question or what
[4:26] <icando ike> Are u pulling my Legs or what the hell is happening here
[4:26] <samurai> that’s what i’d like to know
[4:27] <samurai> so you’re a hacker?
[4:28] <icando ike> yes..why asking
[4:28] <samurai> are you a good hacker?
[4:28] <samurai> are you 1337?
[4:28] <icando ike> Common i hate all this Pracks
[4:29] <icando ike> Enough of this
[4:29] <samurai> what is your business with me larry?
[4:30] <icando ike> Dude i’m off
[4:30] <samurai> okay
[4:30] <samurai> enjoy your evening larry
[4:30] <samurai> talk to you later :)

Tags: , , ,
Posted in SamuraiNet Archive | 3 Comments »

A new mindset – A new box

Friday, November 13th, 2009

It’s been sometime since I’ve last made a post (like a really long time,) but I’m changing that with this post (obviously) and yet again promising to be more attentive. This time however, the change isn’t simply “more blog posts”, but instead a radical change. SamuraiNet will be merging with the psych0tik network and I will be joining with richo and CarbonLifeForm to run the new and improved psych0tik. Over the next couple months we’ll be releasing more information, including a real release date (to hold ourselves to getting this done.)

All these changes mean only one thing, we needed to amp up our gear. As it’d been a while since I bought a new machine and I was itching to get something fun I volunteered to make the first addition to our network, Storm.

Storm’s Specs:

Built on: Shuttle SA76G2 Barebone 

AMD Phenom II x4 Black (4 Cores@3.2Ghz)

4Gb Patriot Viper DDR2 800 (PC2 6400)

Seagate Barracuda 1.5Tb (7200 rpm) SATA drive

Western Digital Velociraptor 150Gb (10000 rpm) SATA drive

Tags: , , ,
Posted in SamuraiNet Archive | No Comments »

Paypal Shuts down the Hackers for Charity

Wednesday, July 15th, 2009

It would seem in an attempt to keep fraud off Paypal, the Hackers for Charity (and Johnny himself) have been put in quite a pickle. While out in Kenya helping fight off the world’s problems, Paypal has gone ahead and frozen his account because of some paperwork issues. I agree that security and fraud protection are paramount for an organization such as Paypal; however, their poor response time and awful support system have left something to be desired.

For more information, check out:

http://www.hackersforcharity.org/259/paypal-shuts-us-down/

Tags: , , , , , ,
Posted in SamuraiNet Archive | No Comments »

3rd party MSN problems: Update!

Saturday, January 31st, 2009

In my previous post 3rd party MSN problems, I discussed how to update pidgin to use MSN-Pecan, rather than Libpurple. After doing some research, the problem was found to be the implementation of MSNP15. Official MSN clients, as well as a few 3rd party clients, seem to fall back on older protocols. As MSN-Pecan uses MSNP12, it will work.

This morning, I accidentally signed in under MSN, rather than the WLM account on pidgin and lo-and-behold it worked! The pidgin folks have pushed out a fix to the MSNP15 problem and pidgin should function correctly now.

If you’d like to follow the bug report, it can be found here.

Tags: , , , , , , ,
Posted in SamuraiNet Archive | No Comments »

The Hacker Mindset

Wednesday, January 14th, 2009

We’ve all seen Hollywood’s depiction of hackers. Flashing graphics, strange
clothing, all night soda binges. This fantastical display of the ‘hacker
subculture’ provides very little insight into the technical aspects of
hacking. Very little of what we see is remotely close to the true
inner-workings of hacking. Despite this inaccuracy, the people involved are
shown in a realistic sense. The clothing, the ‘catch phrases’, the actual
culture displayed may or may not be accurate depending on who you speak to,
but the motivation and creativity displayed are universal. Hacking is
thinking outside the box in a technical sense. While you may need a vast
technical knowledge to execute an attack, the process of developing the
methodology can be accomplished without nearly as much technical knowledge.
These movie characters stop at nothing to accomplish their goal and often
find unorthodox solutions to problems.

Look around whatever room you are in and find a light. Can you think of 10
different ways to make that light useless? When I teach classes or lecture
at conferences I like to use this as an opening drill. Most of the time
people only come up with ‘turn off the switch’ or ‘take the light bulb
out.’ While these are valid answers, they are not very creative. What I
like to see are answers more like ‘destroy the power company,’ ‘shoot it,’
or ‘over-load it with current.’ ‘Destroy the power company’ is a great
example of a non-technical example explaining something useful. While that
particular person didn’t know about power grids or how that part of our
infrastructure works, they did understand a creative way to exploit it.

What is all this talk about creativity? Why is it so important? When you
are doing a penetration test, odds are good it is not on a virgin
environment. An environment void of firewalls and lacking patches would be
ripe for the picking, but this is rarely our situation. Creativity is how
we bypass the security already in place. Hacking is the art of using things
in unexpected ways, the art of being clever.

To give an example, think of a simple SQL injection vulnerability in a form
field for a first name. The developer was either careless or clueless when
he passed the value to the database and left it vulnerable. We’ll hope that
he was more clueless than careless and proceed. As a hacker, we look
at the input and see the potential to exploit his database by injecting our
own queries, but to the developer it’s simply a form field for a name. The
developer never saw this attack coming because of what he thought the code
did, rather than what it was capable of. A hacker has to be creative in
order to successfully understand and exploit things.

A great example of exploiting using creativity are logic flaws or process
exploits. These vulnerabilities are exploited when a hacker finds some
portion of code that the developer assumed would be used correctly. If you
were to goto a website and see a login field you couldn’t bypass, odds are
good that’s the end of trying to exploit it. Now, applying our new found
creativity, what if we guessed what URLs an authenticated user would have
access to and type them in manually. Many developers simply do not display
links to pages you don’t have access to, but don’t enforce those
restrictions. This perfectly illustrates how a hacker will use something in
an unexpected way. By attempting to find pages that we weren’t presented
with links to, we completely bypass the ‘workflow’ of the application and
therefore can introduce vulnerabilities in the process, rather than the
code.

While many vulnerabilities require an in-depth technical knowledge to
exploit, this technical knowledge isn’t required to be a ‘hacker.’ A hacker
without technical knowledge would do a poor job of executing his attacks,
but the concepts of thinking outside the box and finding places to look
that no one else did, or putting things together in just the right way to
reach the goal, these are creative skills.

To read the rest of the articles in this newsletter, please see:
http://www.bitsofspy.net/newsletter/1/the_newsletter_001.txt

Tags: , , ,
Posted in SamuraiNet Archive | 3 Comments »

3rd party MSN problems

Monday, January 12th, 2009

Yesterday I attempted to connect to my MSN account with pidgin and received the error “Unable to retrieve MSN Address Book.“  After a bit of research I found that Microsoft has prevaricated parts of the MSN protocol in turn for the WLM protocol.

In order to fix this issue, you must switch your protocol to WLM from MSN. If you don’t have the WLM option in the ‘add account’ dialog box install the X11 plugin for msn-pecan. (Under Gentoo this is: x11-plugins/pidgin-msn-pecan)

After this install, a restart of pidgin, and creating a WLM pidgin account I was able to resume chatting happily.

Tags: , , , , , , ,
Posted in SamuraiNet Archive | 4 Comments »

Gmail Vulnerability: All hype?

Wednesday, November 26th, 2008

As far as I know this has not been patched yet.

There is a very simple solution to monitoring this problem. Simply adding your own filter with an alternative email address. I just tested this and while the email is sent away from your inbox, it is sent to both addresses. This way you will atleast have a record, and if you check that address more regularly it will act as a notification system.

The exploit is not quite as glamorous as that article depicts either. It’s a Cross Site Request Forgery vulnerability introduced by an improperly implemented token key-pair. As the author mentions, the token should be changed at each request, rather than each session. As mentioned in the article, both the ‘Session Authorization Key’, the token, and the ‘Unique Account Identifier’, which I assume is something like the session key are required. Neither is trivial. The session key would require a vulnerability, such as Cross Site Scripting or Tracing vulnerability, to be accessed. The token must be read from the page that you are posting ‘from.’ Because of JavaScript’s sandbox, this cannot be done through the use of an iFrame or AJAX request. It must be done from the client’s localhost or the domain, in this case Google.

Obviously it is possible, since Google has responded to the threat and proof has been shown of domains being stolen, but nothing new has happened here. It is simply a clever implementation of a few common tricks.


http://geekcondition.com/2008/11/23/gmail-security-flaw-proof-of-concept/

http://googleonlinesecurity.blogspot.com/2008/11/gmail-security-and-recent-phishing.html

Tags: , , , , ,
Posted in SamuraiNet Archive | No Comments »

« Older Entries