I’ve been playing around with a Raspberry Pi on and off for a while now. The credit card sized, fully functional computer can do many things, including being transformed into a security testing tool!
There is a great article on TunnelsUp.com that demonstrates disguising a Raspberry Pi computer as a power plug and configuring it to connect out to a control server using SSH. Basically making it into something like the popular Pwnie Plug device.
When assembled, the device looks like a any other power adapter that clutters our power hungry offices. Except this one allows someone on the outside of the building to connect into the building, possibly allowing them to perform attacks against your infrastructure.
Though the author mentions just using “A Linux OS” on the PI, using something like this and placing Kali Linux on it would make it a very powerful (and affordable) attack/ security testing platform. Kali is the latest version of the Backtrack penetration testing platform, is loaded with security tools and works exceptionally well on a Raspberry Pi.
Very cool project, this should jog the creative mind of penetration testers and hopefully be a warning to IT departments to keep an eye out for rogue devices such as this.
Microsoft recently released preview evaluation versions of Windows 8.1 and their Server 2012 R2 Datacenter software. Nice to know that the old Utilman login bypass that has worked since Windows 95ish still works even on the latest and greatest.
A quick Linux boot and a simple rename of the original Utilman.exe out of the way. Make a duplicate copy of cmd.exe and rename it to Utilman.exe.
Then just boot the system up and at the login screen press the Windows and “u” key.
And up pops a system level command prompt.
Here is a login screen for Server 2012 R2 Datacenter. Notice the “Press Control-Alt-Delete to sign in” message.
And notice the command prompt open with System level rights…
Why hasn’t this been patched yet? Well, maybe because it is there on purpose. An old Microsoft support forum comment mentions that it is the recommended way to get into a server that you have lost credentials for.
And… It still works today on the latest software.
Didn’t try the sticky keys one, where if you rename another file you just hold down the “Shift” key for a few seconds and a command prompt opens. But I would assume that one still works too.
Note to admins – Physical access for the most part equals total access. Secure your data centers!
With all eyes on the Vegas security conferences, some amazing news comes out of OHM2013, a security conference in The Netherlands. At the show a security researcher demonstrated how a hacker could re-program the firmware on a hard drive to maintain a backdoor, and apparently the attack would still work even if the hard drive was erased and reformatted!
This week at a European security conference a security researcher demonstrated an attack that would allow a hacker to access and modify the Flash Firmware on a hard drive and program it to protect his access.
Firmware is code stored on a special flash-able chip on the drive. The built in code tells the drive how to work, how to read and write data. It is flashable (can be reprogrammed) so the manufacturer can release updates to the firmware. Most people never re-flash or update their hard drive firmware.
At the security conference, the presenter demonstrated how the attack works. He ran the program to modify the firmware on a drive. He pretended his access was detected and the administrator password was reset.
The firmware was programmed to look for a special trigger code, a special website address perhaps, that once the hard drive cache sees, it grabs the password file the next time it is accessed and changes the password back to what the hacker set it to.
And it worked!
So basically, if the hard drive firmware is compromised by a hacker, they could change it to allow them to have access to the compromised system again, even if the entire drive was erased and re-formatted.
For more information, including a step by step explanation and proof of concept code, check out Spritesmods.com.
Google has released a security update that patches two separate vulnerabilities that could modify apps without changing their digital signature. Thus malicious apps could be installed without triggering a warning.
The first was discovered in February of this year by BlueBox Security. They found that if you took two application install files, one legitimate and one hacked – but using the exact same file name, you could get Android to install the hacked one.
When the resulting zipped APK file is processed and installed, Android would correctly check the digital signature on the first file to verify it’s legitimacy, but would actually install the second file!
According to BlueBox, 99% of Andoid devices are vulnerable to this attack. Sophos has a great step by step write up on it here, or if you are at Black Hat USA 2013 later this month be sure to check out Jeff Forristal’s talk, “Android: one root to own them all“
The second vulnerability was published last week on a Chinese website called the ‘Android Security Squad Blog‘ (Google Translation). According to the site, the signature verification process can be attacked by modifying file headers.
Apparently malicious code can be added into the file headers, which at the time of the post’s writing was not checked by the Android’s signature verification process.
Both vulnerabilities have since been patched by Google. But the problem is how long will it take device manufacturer’s to implement the changes and push them out to end user devices? Of concern too is older devices that are no longer being updated.
According to The Verge, Google has made changes to the Google Play store updating mechanism to help prevent attacks like this from happening, and Sophos recommends using an Android Anti-virus program to protect against the vulnerability.