Feb 16 2014

My experiences at NullCon 2014

Category: NovoGeek @ 23:45

Finally, NullCon 2014 broke my inertia and pulled me back to my blog. Experience taught me that large tech meets will give wonderful memories which will soon be forgotten. So I thought of recording my little experiences in my blog, which for sure I will cherish for years to come. 

Undoubtedly, NullCon is a top notch security conference in India, attracting offensive and defensive Information Security enthusiasts (Just to clarify, this is not an academic security conference). For the virtue of being one of the core members of OWASP Hyderabad, I have received a complimentary VIP pass from OWASP to attend NullCon. Thanks to the wonderful collaboration between OWASP and NULL communities for the pass, and to my employer for sponsoring my travel!

The Venue & the search for accommodation:

Bogmallo beach resort, Goa! I bet there won't be a place cooler than Goa to organize a tech conference in India. I've been to South Asia MVP Open Day at Goa only recently (Aug 11-13, 2013) and yet this place didn't bore me (Aah, nostalgic, the MVP Open Day is one of my best experiences that I will cherish for years. Story here and pics here). What makes this trip different is the date. Find the odd man out - "Feb 14", "Valentine's day", "Goa", "Beach Resort" "Security Conference" Cool. All guest houses within 10KM radius of the venue were full and many of us were in a dilemma till the eve of the conference.  

Thanks to my friends (Mahesh, Prithvi, Bhaskar, Rakesh, Srinu), the hackers of OWASP/NULL Hyderabad chapters. They hired 2 motor bikes and we rode triples from Bogmallo to Vasco da Gama on the midnight of 13th Feb (Seriously, these are life's little but wonderful experiences one should appreciate!). Finally with the "influence" of my friend Raj Shalem (OWASP Hyd chapter lead), I could get a decent hotel at Vasco (about 8.4 kms from Bogmallo beach resort) at about 12:00 A.M on 14th Feb. Phew! Never imagined I would spend a Valentine's day eve like this, away from my wife (I told her that I would give her a surprise for Valentine's day and I attended NullCon Tongue out).

The talks
There are several wonderful talks which gave me that "paisa vasool" (bang for the buck) feeling. "Hacking YOu'r Cable TV Network" by Rahul Sasi and Nafeez, Chrome Security 2014: New and future hotness by Sumit Gwalani are my personal best among those I have attended. Hope to see the recorded videos of the missed talks soon. I am not a big fan of keynote speeches, especially if they are "news aggregators". No offence meant, but that's my take. I had to skip a few interesting talks due to offline Q&A chats, parallel talks or networking with other techies.

Budding experts!
The speakers list had a mixture of renowned security folks as well as a couple of newbies (at least for me). Interestingly, I've noticed a few undergraduate students doing some promising work: Abhay Rana on Browser extensions security, Bharadwaj Machiraju (@tunnelshade_) on web testing framework, Ajin Abraham on Xenotix, an XSS exploitation framework (Surprise! Ajin is a B.Tech 4th year student and his tool is already in Top 5 security tools of 2013!), Francis Alexander on NoSQL exploitation framework and Yashin Mehaboobe on Hardware Attack vectors. Appreciate the folks at NullCon for genuinely validating and recognizing the work of these folks, instead of taking the years-of-industry-experience constraint into consideration. I am sure these folks will have a promising future and will set an example to the so called, complacent web experts.

Networking FTW!
I've learnt this from my mentors and I've been a pretty decent follower of this rule-"Your primary goal of attending a conference should be networking. Everything else comes later". Tea/lunch/dinner breaks, boring keynotes, dull talks etc. should be utilized to meet new people. I've set a personal target of meeting at least 10 non-local techies and discuss tech. The interesting thing about techies is, they already follow each other on Twitter for years, though they haven't met in person. It is always fun to attach faces to twitter handles and interact in person. It was nice meeting Lavakumar Kuppan (@lavakumark), Amol Naik (@Amol_Naik), Nafeez Ahmed (@Skeptic_fx), Rahul Sasi (@fb1h2s), Akash Mahajan (@makash), Vivek Ramachandran (@SecurityTube fame), Manu Zacharia (@manuzacharia), Prashant KV (@kvbhai), Ajin Abraham (@ajinabraham), Riyaz Walikar (@riyazwalikar), our very own Omair (@w3bd3vil) and several other webapp sec folks whose names keep popping up on my Twitter timeline. 
Seriously, two tightly packed days are too short to discuss and understand what problems people are working on and their approach to solve them. However, I had a sneak peek of what some of these folks are doing.
>> I've missed catching up with Lavakumar at a couple of occasions but finally met him at Nullcon. He explained about his tool IronWasp and how it outperforms other web vulnerability testing tools. As against static code analysis, IronWasp relies on fault injection to detect about a dozen web application vulnerabilities and has a robust architecture. I wish I can spend some time to check its source code. Lots of learning in it.
>> Ajin explained how his B.Tech project turned into a full-fledged tool (Xenotix). Its strength lies in having a huge repository of XSS payloads (1600+) and in rendering infected web pages on 3 different browsers to achieve zero false positives. We briefly discussed about a few architectural challenges which turned out to be quite interesting.
>> I have exchanged emails with Amol Naik a couple of years ago and I presumed him to be a serious-looking geek. Contrary to my imagination, this geek is so down-to-earth and extremely fun-loving. Couldn't discuss much of tech with him but glad that there was a trigger for future discussions.
>> Met Nafeez Ahmed, the JS wizard at the event. I planned to extract a few tricks from him, but ended up explaining some of my on-going research works. We had a short but nice discussion about ECMAScript5, Content Security Policy, browser models etc. Good to see common areas of interest between us and we hope to continue the discussions online. By the way, keep watching for his interesting talk at Black Hat Asia 2014 titled "JS Suicide: Using Javascript Security Features to Kill JS Security". 
>> Met Vivek Ramachandran, the founder of SecurityTube, and had a brief chat about his infosec trainings. Glad to see someone who is so passionate about teaching infosec the right way, right from the basics.
>> Met Sumit Gwalani of Chrome OS team after his talk and discussed about Chrome's new "site isolation" architecture. The discussion slowly moved towards the browser-security related research paper I submitted to WWW 2014 conference (which got rejected). I explained the browser model I was proposing to defeat certain web attacks and he is affirmative about the core idea of the paper. However, he said he is not sure if it goes well with complicated web functionality and gave a few pointers to experiment with. Taking Sumit's feedback boosted my confidence levels to work on enhancing the paper.

Breathing the Goan breeze
We planned to roam around Goa after the conference on Day 2 (15th Feb) and have some fun. Fortunately, we met a Goan geek (Madan) at the conference whom we made our guide for the day. However, our persons:bikes ratio did not change (now we are 9 people with 3 bikes). We started at 7.30 P.M at Vasco and drove to Panjim (30 km distance, triples!). Three folks visited a Casino while the rest of us drove to Baga beach (another 20 KM). We enjoyed a fantastic candle-light dinner served right on the sea shore, drove to Night Bazaar and stayed till 1.30 A.M. By the time we reached back to our hotels, it was 4.00 A.M!! This is one of those days which I will not forget anytime soon.

Why attending the conference when I can read online?
Of course the proceedings of the conference will be hosted online, but there is something more important. Meeting people at good conferences like this and starting a discussion helps you understand where you stand in the real world (I mean, the world outside a company's internal ratings, star awards, peer groups, onsite assignments etc.). They silently instigate motivation and give you a "I-too-can-do-it" feeling, which is otherwise difficult to obtain. Also, evaluating your ideas with the cream of the community helps you identify your strengths, weaknesses and opportunities for improvement. 

Few tweets 

Tags: , ,

Dec 15 2013

Contributing to CSI communications

Category: BlogNovoGeek @ 20:27

I have been busy with multiple projects in the last few months and couldn't spend much time on my blogging activities. However, I have been contributing to IT community on a larger scale by writing articles for Computer Society of India. So far I have written 7 articles (July 2013 - Jan 2014) on web security for CSI communications, the monthly magazine of CSI India. You may check the magazine at http://csi-india.org. Glad to see interesting questions from students, IT professionals and academicians on topics related to web security.

Starting Jan 2014, I shall be back to blogging and will share some of the interesting research activities I came across, which will help web developers and web security enthusiasts. On the other note, I have participated at Devthon 0.5 and started hacking a static blog generator based on Docpad. For now, check my Github repository for details. Will blog more about it soon.


Jun 19 2013

Analyzing the new social engineering spam on Facebook - lady with an axe

Category: securityNovoGeek @ 19:19

Facebook spam - lady with an axeSpammers are everywhere and are waiting desperately for stealing user information, mass advertisements etc. and Facebook is no exception. Until a couple of years back, there were a lot of spams flooding Facebook. Most of them used clickjacking, drive by download of browser extensions, making users enter JavaScript in address bar etc. But due to the security measures taken by Facebook as well as newer browsers, most of such spams do not work today anymore.

This post is about a new social engineering spam which is spreading virally on Facebook. I have recorded a video on how users fall prey to this. Click here to directly go to the video.

Social Engineering:

Nothing can beat the exploitation of the weakest link on the web - "The User". If a web user can be tricked to do certain actions through his mouse/keyboard, a clever spammer can achieve almost everything. This is known as social engineering and has no defense other than educating users about the tricks used by spammers, which is the goal of this post. [Related post: Analyzing the Rihanna Facebook spam]

The picture on the left has become quite popular on Facebook these days. Of course it is spread due to spam, which tags list of all friends of an infected user, comments on a user's behalf, steals user's info and what not. The message it displays raises the curiosity of users so much that they do anything out of desperation to watch it. Clicking on the picture takes the user to a different domain (out of Facebook) and asks users to do a series of actions. Once a user logs into Facebook (and for that matter any website) and interacts with another website in another tab, all bets are off and anything can happen. Since the target audience for this post can be non-technical FB users as well as techies, I have split the post accordingly.


For Non-Technical Facebook Users:

I have recorded a video on how this spam spreads. If you are using Chrome as your browser, you will see the steps shown in the below video. If you use Firefox, you will see a different sequence of steps. Firefox users, check this video instead.

After watching these clips, make sure you do not fall to such traps on any website. Facebook uses "access tokens", which uniquely identifies a user for a certain duration. On following the steps in the spam image, what you are doing is - you are simply giving away access token to the spammer. So the spammer's code can now post on Facebook on your behalf, steal your contact information, friends list and continue spamming with emails. In fact, spammers sell this stolen information to advertisers and make money out of end user's ignorance.

For Techies:

TL;DR: Facebook uses "access tokens", which are random cryptographic strings to uniquely identify each user and they persist only for a certain duration. The primary target of all spam attacks on Facebook is to steal these access tokens. Due to the security restrictions set by Same Origin Policy, JavaScript code in one site cannot read content (here access tokens) of another site. So spammers need help from users in getting what they want.

To steal access tokens of users, spammers lure them to perform certain actions (clicks/key press etc). Some of the previous spams (e.g., Rihanna Facebook spam) used Flash to automatically copy malicious script to clipboard and lured users to paste it in Facebook page's address bar. This is like making users to inject bad script into Facebook page. This no longer works in newer browsers, so spammers chose the converse of this technique - lure users to do a "copy" action (Ctrl+C) somewhere in Facebook page and then a "paste" action (Ctrl+V) in the spammer's site. By doing this, users give away their access tokens to spammers code. Once spammers get the token, as long as it expires, they can perform all actions on Facebook on behalf of the user. So at a high level, the latter is what happens in this spam. General techniques used by spammers to aid their mission are loopholes in Cross origin interactions and Clickjacking, apart from sevaral other browser hacks

In Detail:

Check the below JavaScript code. It is one of the several script files which load on spammers page. This one is 1350 lines! [Check these: Direct link to the below gist and complete source code on Github]

Though the stealing technique is not new and didn't surprise me, what amused me is the level of desperation the spammer had in stealing content. For sure, our guy is a very good web developer who chose to make quick bucks. Unlike other spammers, this guy is not lazy and worked on all hurdles (read browser support for new features) to get things done. For instance, these are the libraries the spammer used in his code.

  • Deck.js for those smooth transitions between pages (I thought the guy used flash since flash has access to clipboard, which reduces user's actions by one step). By the way, this is way better than http://slides.html5rocks.com/ for online presentations. Good one! :-)
  • Sugar.js for extending native JavaScript objects with some syntactic sugar
  • Modernizr for HTML5 feature detection
  • jQuery backstretch for adding a dynamically-resized background image to the page.
  • jQuery cookie - a jQuery plugin for reading, writing, deleting cookies
  • Blob.js for implementing W3C's Blob interface in non-supporting browsers
  • Canvas to blob for converting canvas elements into blob objects
  • URI.js for simplifying working with URIs.

He is using Blobs, HTML5 CORS, Sandbox and frame-busting, Canvas, XHR2's FormData, feature detection and user-agent sniffing targetting 3 major browsers across 6 mobile platforms, neat JavaScript design patterns, script obfuscation, effective use of continuations - beat this, dear web devs!

Why was it complex to analyze?

Though at a high level it appears that there is nothing much interesting in the internals, there are in deed a bunch of interesting things. The spammer's page first loads a JavaScript file, which injects HTML and lazy loads a bunch of JS files mentioned above. There is a file named "jack.php" which dynamically servers different scripts (JSONP data) based on the request parameters. It took me a lot of time to analyze how these requests are constructed. Though I could see the network calls, I was not able to trace the corresponding code in the script files. Heavy obfuscation, string concatenation, overriding "console", "alert" functionalities etc., are purposefully done to prevent analysis of the code.

Thankfully, there are a couple of online tools which made my task easier.

As shown in the videos above, the code behaves differently in different browsers. So obviously there must be some user agent sniffing happening. After spending a lot of time, I came to know that the code in script files being served is varying with different user agents (thanks to diffnow.com for the quick comparison).

Why different tricks in different browsers?

Okay, this is the crux of the entire workflow. It took me a while to find out this and though it is subtle, it is a new learning for me as well. The idea is to open a popup window with "view-source:" protocol, which displays the source code of a web page (works only in Chrome and Firefox). If "view-source:" is pointed to Facebook connect URL, Facebook automatically attaches a valid access token, since the user already logged into Facebook (similar to attaching cookies in future requests, once a user is authenticated). Here is how the URL looks like, with the access token in it:
Now, if the spammer can get this URL, he can extract the access token and trigger requests using his script. This needs different behaviours in different browsers.
  • In Internet Explorer, "view-source" protocol is not supported, so the spammer throws a fake captcha and asks user to enter certain verification code. He is using clickjacking to make the user submit his inputs. I tried in all versions of IE (7 to 10), but could not get the code working. He messed up with his CSS, so his positioning went wrong. Probably, IE was not his target.

  • In Firefox, the code opens the popup with "view-source" protocol and asks the user to press these three keys in a sequence: "Ctrl+L", "Ctrl+C", "Ctrl+W". Anyone who uses keyboard shortcuts regularly can understand what this means. "Ctrl+L" shifts focus to address bar of the popup and selects the entire text. "Ctrl+C" copies it. "Ctrl+W" closes the popup window. However, the large values for "top" and "left" attributes puts the popup behind the active browser window, in spite of retaining focus in it. This popup behaviour is unique to firefox and hence firefox users will not have any suspicion. On pressing "Ctrl+V" in the spammer's page, the user's access token is pasted in spammer's web page and hence token is passed.

  • In Chrome, the view-source protocol works, but the behaviour of popup is different. Popups appear above the active browser and hence the spammer has no choice but ask the user to right click and copy the URL, as shown in the pic to the right.
Using these simple tricks, spammers steal access tokens. Not 100% convincing for a decent techie, but they have proven to be popular among the masses. I won't be surprized if I come across newer spams which use "Fake Captcha" kind of techniques as shown by Kotowicz and Nafeez.

What is the motive behind the spam?

Well, data is the currency on the web. After successful attack, the spammer has complete access to user's Facebook data, along with ids of friends, which he can sell to advertisers. I tried to take a dig at network calls and see if he is exporting data to any other site or endorsing some specific vendor. All I found is, he is associated with a Brazillian site called "Mobile Xpert" (https://mobilexpert.com.br). Found this from a Facebook Graph API call which points to Mobilexpert's FB page.

Can I have a look at network traffic, without running the code?

Sure, I have exported the HTTP calls being done by spammer's page to a HAR (HTTP Archive) file. You can get it from the github repo (careful, large file). To view it properly, open the file, copy its content, navigate to http://www.softwareishard.com/har/viewer/ (online HAR viewer), paste the code in the textbox, uncheck "Validate data before processing?" checkbox and hit "preview". You can view it similar to Firefox's network panel and analyze the traffic yourself. Check the FB graph API calls to see all the havoc which is happening (the call GET 244767798982043 is being done to Mobile Xpert's FB page).

How did the spam tag user's friends in the pic?

As said earlier, once the spammer's code has access token, it can do anything such as tagging friends, commenting on behalf of the user on the photo, stealing user info etc. You can check all these happening from the network traffic shown above.

Okay, but how did the spammer upload a pic, using JavaScript?

Seriously, this is what made me go mad. First of all, JavaScript does not have access to file system, so there is no way a script can upload a file all by itself, without user's intervention (At least, I couldn't imagine a way, even after I know about blobs and XHR2 FormData). I was excited after seeing this guy's approach. Here is how he managed automated image upload:

  • First, he loaded an image using <img src=""> from his server.
  • Then he used HTML5 canvas and drew the image on the canvas using JS (Basic canvas example)
  • Then he converted the canvas to blob using JS
  • Then he used FormData of XHR2 specification to upload the blob via AJAX post!
I am not sure if this is a well known technique, but at least for me, this is a clever way of dealing with automated uploads. Have to see how many misuses are already going in the wild!

So is that all?
Not yet.  Check the file "urls-jack.js" in the github repo. I was surprised to see that there are "495" unique URLs which host the spammer's code, each with a random set of characters as prefix and with multiple domains. For each image uploaded by the spam code, a random URL is chosen as a comment. This probably is to escape spam filters!

I am not sure if there are other hidden gimmicks. I wish I had more time to analze the code. Loved the way the spammer organized his code and his desperate attempts to achieve his goal - stealing user's access tokens. It was fun analyzing this code. Will update the post if I find anything interesting.


Tags: , ,