Security Researcher Demonstrates Healthcare.gov Vulnerabilities

Dave Kennedy Healthcaredotgov hearing

A select panel of experts met to discuss the security issues with Obama’s Healthcare.gov website. But only one of them demonstrated vulnerabilities live.

TrustedSEC CEO (and creator of the Social Engineering Toolkit) hit the ball out of the park yesterday at the Congressional Committee Hearing on the Affordable Healthcare Act – Healthcare.gov website security issues.

According to the opening statements by Chairman Lamar Smith, Healthcare.gov is “One of the largest collections of personal data in the world“. The site contains data from 7 different agencies, and includes personal information such as citizen’s birthdays and social security numbers.

According to the President, the website was safe, secure and open for business. But the administration has cut corners with the website that leaves the site open to hackers.

At the hearing, Kennedy said that through passive reconnaissance his company had discovered 17 different direct exposures which they reported. He would not talk about all of them, because as of the time of the hearing not all of them had been fixed. He then went on to actually demonstrate several possible ways that hackers could target the site.

David does not talk about all of the issues that they discovered, but their full report(PDF) that was submitted to congress is very interesting.

The report shows several issues that include:

  • Open Redirection (where a malicious re-direct link could be inserted into a Healthcare.gov link)
  • XML injection
  • JQuery File Upload
  • Exposed User Profiles!

But that is not all, there are also remnant website “test” links:

healthcare security issues

The Congressional Hearing and TrustedSEC’s report are both well worth your time.

Kudos to Dave, he did a phenomenal job, and as always, both expertly and professionally represented the white hat security field.

New Social Engineering Toolkit v4.3 Released!

Christmas comes early as one of the best computer security tool gets a big update. This week David Kennedy and the Trusted Sec gang released a new version of the Social Engineering Toolkit (SET). And this one comes with over 60 new features and updates!

As far as I am concerned, SET is hands down the best way to test your corporate network (and users!) against social engineering type attacks. Social Engineering data attacks (getting someone to run a malicious file through manipulation) is one of the top threats our networks face today. Dave and his team have put some major time and energy into SET to keep it up to date and relevant to the changing topography of network security.

So let’s take a look at the new features:

Multi-pyinjector looks to be one of the most interesting additions (see video above). SET can now deliver multiple payloads through multiple ports increasing your chances of success.

Tack_Email_Addresses is totally new to SET. This feature allows you to track which users clicked on your links and what they input on your website when they arrive.

Looks like this version of SET is also much better at AV evasion. The Java applet attack included in older SET versions was being picked up and blocked by a lot of Anti-Viruses. It seems to be working much better now. Hey, was that a fully patched and updated Windows 8 system I see used in the video?  🙂

Check out the Trustec Sec blog or their video above for more info!

Social Engineering Toolkit v4.1.1 “Gangnam Style” Released

David Kennedy and the Trusted Sec crew have recently released yet another update to the very impressive Social Engineering Toolkit.

SET v4.1.1 codenamed, “Gangnam Style”:

This version has a number of new enhancements including the ability to natively use Apache with the multiattack combining the Java Applet Attack and the Credential Harvester. Traditionally speaking, the credential harvester attack could only be used by the native SET HTTP server. We recently developed a php hook that gets copied over to the web root along with the standard Java Applet attack. If the Java Applet fails, the backup for credential harvester can be used. In addition, a number of stability updates were given to the standard Credential Harvester attack.

The harvester now supports multi-threading for faster response times when hitting the website. All-in-all this release adds a ton of new functionality and features. In addition to these changes, the Metasploit Meterpreter ALLPORTS payload is now supported through the PyInjector and ShellCode Injection techniques for the Java Applet. Lastly, we’ve added a new Java Applet that has been redesigned and heavily obfuscated. Enjoy!”

SET is one of our favorite computer security tools here at CyberArms.I can not think of an easier to use tool that allows you to check the security of your network against social engineering attacks.

We are just so grateful that David Kennedy and his team spend so much time tweaking and updating it.

Nice job guys!

Windows 8 Security in Action: Part 2

This is Part 2 of the 3 part article “Windows 8 Security in Action” featured in this month’s issue of Hakin9 Exploiting Software. Part one is available here.

Changes in Microsoft’s Password Policy

I have noticed some changes in the way Microsoft handles their different service account passwords over the past few weeks. It first started a while back when using Microsoft Live mail. One day when I typed in my legitimate password to my e-mail account, I received this error message (Figure 8):

Figure 8 – Microsoft Live Login Screen requesting Fewer Characters

“If you have been using password longer than 16 characters, please enter the first 16”?

Sure enough, I put in the first 16 characters of the password and I was in. So in effect, it looks like they just went through their password database and truncated all the passwords down to 16.

But that is not all.

Recently I went to login to my Microsoft mail and got the good old “It’s time to change your password” message. No problem!

Well, yes there was. I use several special characters and when I tried to use some of them (which were in my existing password!) I received this message (Figure 9):

Figure 9 – Microsoft Login Special Character Message

It seemed to accept some of the special characters, but didn’t like others that I have used since I created the Hotmail Live account!

I wondered what was going on, and then I remembered, Windows 8 is being released and they want you to tie it in to an email address/ Microsoft account. As you can see in the Windows 8 install screen below (Figure 10):

Figure 10 – A View of the Windows 8 install Screen requesting an E-Mail Address

Sure you can use a different e-mail account, or even log in with a local password but they still want you to connect in to a Microsoft account (Xbox, Live, etc.) for Windows 8′s other features. And of course don’t forget the new Microsoft Marketplace…

What then is the reason for shortening the passwords? Looks like Windows 8 is capped at a 16 character limit for compatibility with existing Microsoft services. But is that long enough for secured passwords?

Let’s check Microsoft’s FAQ for strong passwords1:

 “Length. Make your passwords long with eight or more characters.”

Okay, we are good there, but what should our password look like? Well, here are some of the password examples from Microsoft’s strong password FAQ (Figure 11):

Figure 11 – Microsoft’s Secure Password Examples

Wait a minute… They are all over 16 characters long!

As length increases so does the cracking time. Passwords longer than 10 characters take an exponentially longer time to crack. So in all reality, 16 really shouldn’t be a problem. But all of my passwords are longer than that. And with the decrease of the character set, by limiting special characters for compatibility with Microsoft’s other services, the passwords are less secure than they were before.

I am curious if Microsoft will change this in the future.

Microsoft trying to tie all their services together in the cloud is an interesting concept though. With doing this, no matter where you log in, you will get a consistent look and feel, with all of your data available.

All right, enough of an overview, let’s see Windows 8 security in action!

Testing Windows 8 Security

I took Windows 8 and ran a couple common security tests against it to see how well it would hold up. I used the Backtrack platform, SET and the Metasploit Framework. As a straight test from a security tester’s point of view, I did not use any modified payloads, uncommon techniques or exploits that were not included with the Metasploit platform.

My goal was to test to see how the new security features make the system more secure than previous versions of Windows.

The Windows 8 Enterprise VM was tested as installed with no additional security programs or anti-virus running except the included Microsoft Windows Defender. Also the latest version of Java was installed (version 7 update 7).

Malicious Shell Code verses Windows 8

Let’s take a look at a standard Java attack against Windows 8. I created a test page using the Social Engineering Toolkit (SET) in Backtrack 5, so that when a user connects, it displays an obviously bogus “Letter from the CEO” page, and it offers a backdoored Java applet to the visitor. If the user allows the Java app to run, we get a remote session.

Figure 12 – Malicious Java Security Warning

As you can see form the screenshot above (Figure 12), you see a security warning explaining, “This application runs with unrestricted access which may put your computer and personal information at risk.” If we click the box to accept the risks, and run the malicious Java We instantly receive a Windows Defender pop-up warning (Figure 13) that Malware was detected and it stopped the attack.

Figure 13 – “Malware Detected” by Windows Defender

Okay, that was an easy one; next I tried SET’s Alphanumeric shell code attack. This one is a little sneakier and can still bypass some AVs. When I pulled up the test CEO webpage on the SET machine, I didn’t get a Malware warning like I did with the earlier attack.

When I ran the attack, I got a shell!

Okay, just a shell notification (Figure 14) on the Backtrack side…

Figure 14 – Viewing connected session in Meterpreter

But once I tried to connect to the shell in Backtrack I couldn’t run any commands. It may have been able to create a channel to the Windows 8 machine, but the security features of 8 stopped it (Notice the Timeout errors) so I could not get a working remote shell.

Okay, am I impressed yet at the new security features? No, not really. A Windows 7 system running a good up to date AV/ Internet security solution will give similar results to what we have experienced so far. But for an out of the box install, it is not bad at all.

(Stay Tuned for Part 3)