Second Step to Become a Hacker - Haaga-Helia Assignment

Assignment 2

Task X

A05:2021 - Security Misconfiguration

• The following reasons can make an application vulnerable:

  • Missing appropriate security hardening
  • Improperly configured permissions
  • Unnecessary features are enabled or installed
  • Default accounts and their passwords are still enabled and unchanged
  • Error handling reveals stack traces or overly informative error messages
  • The latest security features are disabled or not configured securely
  • The server does not send security headers or directives
  • The software is out of date or vulnerable

• To prevent an application from being vulnerable, we can:

  • Create an automate process to implement a repeatable hardening process that makes it fast and easy to deploy another environment that is appropriately locked down
  • Having a minimal platform without any unnecessary features
  • A task to review and update the configurations appropriate to all security notes, updates, and patches
  • A segmented application architecture provides effective and secure separation between components or tenants, with segmentation, containerization, or cloud security groups (ACLs).
  • Sending security directives to clients, e.g., Security Headers.
  • An automated process to verify the effectiveness of the configurations and settings in all environments.

A06:2021 – Vulnerable and Outdated Components

• The system is vulnerable, if:

  • You do not know the versions of all components you use (both client-side and server-side)
  • The software is vulnerable, unsupported, or out of date
  • You do not scan for vulnerabilities regularly
  • You do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion
  • Software developers do not test the compatibility of updated, upgraded, or patched libraries
  • You do not secure the components’ configurations

• To prevent this, we should:

  • Remove unused dependencies, unnecessary features, components, files, and documentation
  • Continuously inventory the versions of both client-side and server-side components and their dependencies using tools like versions, OWASP Dependency Check, retire.js, etc.
  • Only obtain components from official sources over secure links
  • Monitor for libraries and components that are unmaintained or do not create security patches for older versions

A03:2021 – Injection

• An application is vulnerable to injection attack when:

  • User-supplied data is not validated, filtered, or sanitized by the application.
  • Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter
  • Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records
  • Hostile data is directly used or concatenated.

• To prevent we should keep data separated from commands and queries:

  • Use a safe API, which avoids using the interpreter entirely, provides a parameterized interface, or migrates to Object Relational Mapping Tools (ORMs).
  • Use positive server-side input validation
  • For any residual dynamic queries, escape special characters using the specific escape syntax for that interpreter.
  • Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection.

• For example, we have this query

1

String query = "SELECT \* FROM accounts WHERE custID='" + request.getParameter("id") + "'";

Attacker can easily attack us by modifying the id parameter value in their browser like this

http://example.com/app/accountView?id=' or '1'='1  

Darknet Diaries - NSO

Summary

In 2001, someone issued a Freedom of Information request and got back information the FBI uses this Magic Lantern malware to capture keystrokes on target computers. Magic Latern can record your keystrokes and send everything you type back to the central system. Of course, a malware like this that is used by the FBI needs some kind of a warrant to to be used, so this is surprisingly a lawful intercept mechanism. This gets interesting when people start to ask a question:

“If the FBI has legal permission to wire tap someone, should antivirus companies detect and report this activity?”

Not surprisingly, the answers from these companies are very vague.

Citizen Lab helps people out when they’re targeted by digital threats. Ahmed Mansoor has been targeted many times by different hacking groups just because he’s a human rights activists and speaks out against the UAE government. Ahmed reached out to Citizen Lab after being targeted again in 2016, he showed them some links and messages that are linked to the NSO group. They were able to get a copy of the Pegasus spyware.

Pegasis is a very sophisticated, stealthy and super dangerous spyware that can jailbreak an iPhone remotely. Here are the steps:

1. User clicks a malicious link using their iPhone
2. Javascript program runs
3. Safari browser opens up. Safari uses WebKit as its engine. JavaScript program tries to exploit a bug in WebKit which would allow it to write data to the phone
4. Javascript downloads a malicious program
5. Stage two of exploit chain starts

The spyware has to jailbreak the iPhone because the only apps that are allowed to be installed on an iPhone have to come from App Store. So to force the phone to install any malicious software, they need to jailbreak the user’s phone to do so. The app then does all sort of things such as turning on the microphone and camera, reading messages, tracking locations etc. and send those back to the attacker.

NSO Group started by 3 guys: Niv, Shalev, and Omri that sells sophisticaed mobile spyware. Their customers are the governments. Shalev from NSO claims that their software are there to prevent crime and terror. He backs his claim by saying that when Mexican authorities wanted to capture the drug lord El Chapo, they had to tap the phones of a few people he talked to. Although these people are not criminals, but they need to intercept them in order to catch El Chapo. This raises an interesting ethical issue. However, at the end of the day, cases of success don’t falsify the problem of abuse.

All in all, this is still a grey area and there should be consequences and laws to governments who abuse this kind of tool.

Lesson Learned

It’s fasinating listening to this episode. If you are a true crime fan or at least watching many TV series related to the police, government or conspiracy theories, this is not so much alien to you.

This episode opens my eyes about big companies that create these malware and spyware legally to the governments. It’s a dangerous world we are living in, especially if you are an activist 😅.

Threat actors here from my point of view are both the governments and NSO. NSO can
argue that they are creating these malicious software to help others not to harm but they are still part of the gang.

About Ahmed, he was careful and took the right step to avoid being attacked by Pegasis because he had experience with these kinds of attack, I don’t think there was a better way to mitigate the attack by contacting Citizen Lab in this case. We also learn to be cautious before clicking any link or downloading anything. This reminds me of these phishing emails I got recently. There are emails related to a package I haven’t picked up from DHL and the keep emailing me the same kind of content insisting that I forget to pick the package up etc. It’s pretty obvious that these are phishing emails but I don’t know why I’m attacked fiercely nowadays, I’m not an activist. Maybe I’ve registered to some malicious pages 😆. Dangerous world!

CVE-2021-34527

Windows Print Spooler Remote Code Execution Vulnerability

This CVE known as “PrintNightmare” is about a remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This update was released by Microsoft with a vulnerability. If the user’s computer has this registry setting

NoWarningNoElevationOnInstall = 1

The system is vulnerable because an attacker can install programs, doing any kind of stuff to the system. Therefore, Microsoft informed the user to change that registry setting to

NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)

They investigated an released a security updates after that for this.

Task A - Solve SQLZoo

1. SELECT basics

2. SELECT from World

CHARINDEX is used here instead of LIKE due to performance concern in the real world

Task B - Solve WebGoat

• What Is SQL?

• Data Manipulation Language (DML)

• Data Definition Language (DDL)

• Data Control Language (DCL)

• String SQL Injection 1

• Numberic SQL Injection

• String SQL Injection 2

• Query Chaining

Task M - SQL Zoo 9+

Task O - CRUD Operations Using PostgreSQL

• Download PostgreSQL from here

• After running the installer, you will be asked to install pgAdmin 4 and other stuff as well, proceed installing all of them

• Start pgAdmin 4, type in the password you have set up in the installation phase.
• Right click PostgreSQL 14 (assumming that you have installed the latest version) –> Create –> Database... as in the picture

• In General tab, type your database name in the Database input –> click Save

• Right click on the newly created database –> Query Tool. This will allow you to write SQL query and execute them

• This is my code to create the tables. I;m aware that the grades table is not in BCNF but this is just for practicing so I let it be this time

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

CREATE TABLE students (
	id 			  SERIAL,
	first_name 	  TEXT 			NOT NULL,
	last_name 	  TEXT 			NOT NULL,
    PRIMARY KEY (id)
)

CREATE TABLE grades (
	id		      SERIAL,
    name	      TEXT 	    UNIQUE		NOT NULL,
	grade	      INT					NOT NULL,
	student_id	  INT,
    PRIMARY KEY (id)
	FOREIGN KEY (student_id) REFERENCES students(id)	
)

• Now we can start inserting data into the tables

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

INSERT INTO students (first_name, last_name)
VALUES 
	('John', 'Doe'),
	('Jane', 'Smith'),
	('Adam', 'Perez'),
	('Cassandra', 'Jackson')

INSERT INTO grades (name, grade, student_id)
VALUES
	('Database Developer', 5, 1),
	('Data Security', 4, 1),
	('Business Mathematics', 4, 2),
	('Finnish', 1, 3)

• Then we can perform some SQL queries, let’s find all students that achieve grade 4

1
2
3
4

SELECT first_name, last_name, name, grade
FROM grades
JOIN students ON grades.student_id = students.id
WHERE grade = 4

We get this result

• The Finnish teacher realizes that she recorded wrong grade for Adam Perez, so she wants to update his grade for the Finnish course by using this query

1
2
3

UPDATE grades
SET grade = 3
WHERE name = 'Finnish' AND student_id = 3

We can check Adam’s new grade now by this query

1
2
3
4

SELECT first_name, last_name, name, grade
FROM grades 
JOIN students ON grades.student_id = students.id
WHERE student_id = 3

Here’s his new grade

• Cassandra drops out of school so the school has to delete her record

1

DELETE FROM students WHERE id = 4

And we can check the list of students by using the following query

1

SELECT * FROM students

Cassandra is gone

Task Q - Demonstrate Aggregate Functions (SUM, COUNT)

Let’s check how many students there are in the school at the moment

1

SELECT COUNT(*) AS no_of_students FROM students

We can also check the total value of students' grades right now

1

SELECT SUM(grade) AS sum_of_grades FROM grades

TASK R - Demonstrate JOIN With Your Own Database

We can check the student’s info and their grades with only this query

1
2
3

SELECT first_name, last_name, name, grade
FROM students
JOIN grades ON grades.student_id = students.id

Here’s the result