Monthly Archives: February 2009

Cambium Group, LLC. CAMAS Advisory

We’ve finally released the Cambium Group, LLC Content Management System (“CAMAS”) advisory after much waiting and debate. These security risks were discovered in CAMAS during a customer penetration test that we did in August of 2007 (we notified the Cambium Group about these risks on 08/24/2007). The security vulnerabilities that are disclosed in the advisory are kept very high level and low detail as to not arm any potentially malicious people. Unfortunatley the vulnerabilities still exist today (almost two years later) according to some recent Google research that we did. In fact, according to Google’s cache the Cambium Group’s own website was vulnerable as of Feburary 9th 2009 to the exact same vulnerabilities that we alerted them to on 08/24/07 (see the screen shot below).We can’t ethically test Cambium Group customer’s websites without their permission, hence why we rely on Google for this information. Google sometimes triggers vulnerabilities in websites while crawling them and the results get recorded to Google’s database. When that happens they become searchable (and get cached). Malicious hackers and script kiddies also use Google in this way to identify websites that are vulnerable to SQL Injection. This gives them an easy set of targets that they can compromise with little effort.You can check to see if Google stumbled upon a vulnerability in your instance of CAMAS by using the following technique. Type the following string into the Google search engine but replace www.company.com with your company’s domain (see the screen shot below as an example.) String (without the quotes): “inurl:www.yourcompany.com 1064 You have an error in your SQL”When you hit the search button (and if Google has a cached version of your website being vulnerable) you will […]

Facebook from the hackers perspective.

For the past few years we’ve (Netragard) been using internet based Social Networking tools to hack into our customer’s IT Infrastructures. This method of attack has been used by hackers since the conception of Social Networking Websites, but only recently has it caught the attention of the media. As a result of this new exposure we’ve decided to give people a rare glimpse into Facebook from a hackers perspective. Credit for designing this specific attack methodology goes to Kevin Finisterre and Josh Valentine both core members of our team.

Lets start off by talking about the internet and identity. The internet is a shapeless world where identities are not only dynamic but can’t ever be verified with certainty. As a result, its easily possible to be one person one moment, then another person the next moment. This is particularly true when using internet based social networking sites like Facebook (and the rest).

 
Image provided by Michael Painter
Humans have a natural tendency to trust each other. If one human being can provide another human with “something sufficient” then trust is earned. That “something sufficient” can be a face to face meeting but it doesn’t always need to be. Roughly 90% of the people that we’ve targeted and successfully exploited during our social attacks trusted us because they thought we worked for the same company as them.

The setup…

Facebook allows its users to search for other users by keyword. Many facebook users include their place of employment in their profile. Some companies even have facebook groups that only employees or contractors are allowed to become members of. So step one is to perform reconnaissance against those facebook using employees. This can be done with facebook, or with reconnaissance tools like […]

They will protect my data (won’t they?)

So the other day I was talking with my buddy Kevin Finisterre.  One of the things that we were discussing was people who just don’t feel that security is an important aspect of their business because their customers don’t ask for it.  That always makes my brain scream “WHAT!?”. Here’s a direct quote from a security technology vendor “We don’t perform regular penetration tests because our customers don’t ask us to do that.”Isn’t it the service provider’s/vendor’s responsibility to properly manage and maintain the security of their infrastructure?  Don’t they have an ethical obligation to their customers to protect the service that they are offering and any information that the customers decide to store on their systems?The real question is, how many customers would they lose if the customers heard them say that? That is after all just like saying “We don’t care about security because our customers aren’t asking us to care about it.”  So who have I heard this from? Here’s the (very) short list:Vendors that make security software (like email gateways, anti-virus technology, Intrusion Prevention Systems, etc).Vendors that make technology that is used to control our Nuclear Power Plants, Water Purification Plants, Traffic Control Systems, etc.Vendors that sell business enabling technologies like PHP based Content Management Systems, Commercial Web Servers, Server based applications, Web Applications, etc.Vendors that sell desktop applications like Financial Tracking Systems, Invoicing Systems, File Sharing Systems, Backup Solutions, etc.I’ve also heard this from MAJOR Service Providers such as Web Hosting Providers, Email Providers, Backup Service Providers, etc.The list goes on….I think that people need a wake up call.  This strikes me as a serious ethical issue, what about you? Leave me a comment I’m very interested in feedback on this one. Netragard, […]