Recovering Windows Passwords Remotely in Plain Text

There has been a lot of buzz across the web the last few months about a program called “Mimikatz”.   It is an interesting program that allows you to recover Windows passwords from a system in clear text.   Why spend hours, days, or months trying to crack a complex password when you can just pull it from Windows memory as unencrypted text?   We have seen in the past that most Windows passwords less than 15 characters can be cracked in just a few seconds if the attacker can get the Windows Hashes. This is due to the fact that Windows stores these passwords in an easy to crack LM hash.   An old encryption used for backwards compatibility. Microsoft allows you to disable the older LM Hash, but Microsoft still creates the hash and stores it in memory.   No big deal, just make your passwords 15 characters or greater and problem solved. The LM hash will not be created, only the more secure NTLM hash.

Well, not so fast. It seems that the LM hash is not the only version of the passwords Windows keeps in memory; it also keeps a copy of the passwords in plain text which you can even recover remotely…IF you have remote access to the system via malicious JAVA Code – using Mimikatz to recover remote passwords. For example you can use the website Java attack through the Social Engineering Toolkit (SET) to obtain a remote shell. You can create a trap (aka Malware infected website) if you want to see how this works – NOTE: This is NOT RECOMMENED unless you are interested in security and have the time, tools and system to create a hacker site. First thing you will want to do is download Mimikatz and place the files you need (Windows 32 or 64 bit) in a directory on your Backtrack system. Then run SET and pick the website java attack option.   After the target system surfs to our SET webpage and allows the Java code to run, we get a remote shell. After we connect to the created session, we will need to elevate our authority level. We need System level privileges for Mimikatz to work properly, so the first thing to do is run the Bypass UAC script in Meterpreter, and then connect to the newly created session.

Now all we need to do is create a directory on the target system and copy the Mimikatz files up to it.

Now we need to drop to a command shell and run “Mimikatz”.   You will now be in the Mimikatz program console and need to enter the commands “privilege::debug” and then “inject::process lsass.exe sekurlsa.dll”

If you get an error at this point (Yeah I know, it is all in French), you probably don’t have System level authority.   Okay, if all went well, you need to run one last command, “@getLogonPasswords”

And that is it! The passwords for anyone who has logged onto this machine will be displayed in plain text. From the picture above you can see two users:   Username: Fred  Password: password   Okay, not a complex (or smart) password, but look at the other user:   Username: Secure_User  Password: CvM*901D0?#(Fg[“MNoP43!Ta$cv2%   Wow, wouldn’t want to have to type that one in every day. That is a 30 character password and Mimikatz recovered and displayed it in plain text with no need to decrypt or crack.   The moral of this story boys and girls is to not allow scripts or programs to run from websites that you do not know or trust. Run a browser script blocking program like NoScript. Also, do not allow your Windows 7 users to use Administrator level accounts. Drop them down to User accounts for their everyday usage.   As always, do not access systems that you do not have permission to do so. And always do your penetration testing learning on test machines and not on live production systems.

Finally, if you implement a task to automatically restart systems every night (Windows 7 makes this easy) as policy, it will clear out the passwords in memory from the previous logins – especially important if you have logged in as an administrator earlier in the day.

IPhone Malware: Kaspersky Expects Apple’s IOS To Be Under Attack By Next Year

Security company Kaspersky Lab expects the iPhone and iPad to be infected by malware within the next year.

While analyzing security vulnerabilities in Apple’s operating system for Macs, Kaspersky also noted potential instabilities in iOS, Apple’s mobile operating system.

As a security firm, it’s in Kaspersky’s interest to analyze and report on potential security threats, but to date instances of iPhone malware have been relatively rare. The few known cases have occurred within jail-broken phones. Android appears to be the platform to target; in 2011, instances of malware on the Android platform spiked 400 percent from the previous year.

Kaspersky CEO Eugene Kaspersky recently spoke out on Apple’s security in the wake of the Mac Flashback trojan, the virus that infected more than 600,000 Apple computers.

Kaspersky compared Apple to Microsoft, telling Computer Business Review: “I think they are 10 years behind Microsoft in terms of security.”

Kaspersky also his company has seen an increase in malware directed at Macs and recommended Apple take a more dominant security stance against potential threats.

Kaspersky is not the only security company that has recognized the potential threat to Apple devices that run on iOS.

While the iPhone may not be as vulnerable to malware as the Android, with the rising number of smartphone users it won’t be long before hackers find away around Apple’s App Store review process.

Security in 2012: A look back at Q1

Today, ‘Mobile’ has become a technology buzzword. Mobile technology, of course, refers to portable technology, which run the gamut from mobile phones and laptops to global positioning system (GPS) devices. Like any other kind of technology, mobile technology has its disadvantages and concerns, including that of security.

Android under attack

Android-based smartphones suffered from more criminal attacks this quarter. With the increased use of smartphones for web browsing, it is no surprise that the number of mobile attacks increased. The popularity of apps led to the existence of bogus Android apps like the fake ‘Temple Run’ and optimizer apps. One prominent mobile threat this quarter was one-click billing fraud, which can charge a user up to $1,300 just for clicking a button.

Data breaches and APTs

As the name implies, persistence is key when it comes to Advanced Persistent Threats (APTs). Attackers go deep into a target’s network to get what they want. Highly targeted attacks are categorized as ‘campaigns’, as these refer to a series of failed or successful attempts to compromise a targeted network. One notable example of this is the Luckycat campaign, which targeted several industries. Common lures for targeted attacks this quarter include popular sports figures and sociopolitical events.

Social media threats

Social networking has created a generation of users more likely to reveal personal data to third parties. Social media has become an effective platform for cybercriminals to spread malware. Even more troubling is the fact that the presence of cybercriminals and cunning social engineering lures put not only users at risk, but also the companies they work for. Even newly formed social networking sites were not spared this quarter, with survey scams finding their way to Pinterest.

Vulnerabilities

The number of reported vulnerabilities this quarter showed that threats can easily spread among systems and possibly even mobile devices. One vulnerability, MS12-020 (CVE-2012-002), was given the highest rating on Microsoft’s exploitability index, as it can consistently be exploited even by unathenticated users. MS12-020 allows cybercriminals to remotely execute commands on infected systems.

Among vendors, Apple posted the highest number of reported vulnerabilities this quarter, along with a record-breaking number of patches.

Cybercrimes

Blended threats are cybercriminals’ answer to causing greater damage to unsuspecting users. Ransomware reared its ugly head once more, taking systems or files ‘hostage’ until victims paid up. One SINOWAL variant spread using a compromised Dutch site. Other notable threats included spoofed emails bearing a malicious JavaScript and backdoors that stole sensitive information.

Some days, you just want to stay inside and read a book.

Can Dropbox, other cloud providers survive Google Drive?

The 800-pound gorilla has landed and is leveraging its existing relationship with hundreds of millions of users to port them to their cloud storage and file sharing service Google Drive. Can smaller cloud storage players survive this assault?

Like Apple and Microsoft, Gartenberg noted that Google has a relationship with a millions of consumers who use its Gmail, Google Docs, Chrome web browser and any number of other applications. Because of those existing relationships, Google has an advantage in being able woo existing customers over to its new storage and synchronization service.

While Google Drive will no doubt compete with Microsoft’s SkyDrive and Apple’s iCloud, the companies more at risk are smaller specialized service providers, such as DropBox, Box, SugarSync and YouSendIt. Those sites have appealed more to technology enthusiasts, not average consumers. And, when it comes to adoption, relationships matter

Google offers 5GB of capacity for free and allows an upgrade to 25GB for $2.49 a month, 100GB for $4.99 a month or 1TB for $49.99 a month. When you upgrade to a paid account, your Gmail account storage will also expand to 25GB. On an annual basis, Google Drive charges $60 for 100GB.

The price difference is clearly an issue – many existing Dropbox users will move due to this alone.

While Google Drive is currently aimed an consumers, it won’t be long before business-class offerings that allow IT managers administrative control, will emerge.

Box.net is clearly the leader in mass market enterprise cloud storage – For example, Box allows multiple email domains to exist inside the same enterprise account, allowing different business groups to have their own email accounts for collaboration purposes.

This may change …. soon.

 

New, sneakier Flashback malware infects Macs

A new, sneakier variant of the Flashback malware was uncovered yesterday by the French security firm Intego.

Flashback.S, which Intego described Monday, uses the same Java vulnerability as an earlier version that has infected an estimated 820,000 Macs since its appearance and still plagues over 600,000 machines.   But unlike Flashback.K, the variant that first surfaced last month and has caused consternation among Mac users, Flashback.S never asks the victim to enter an administrative password for installation, but instead relies only on the silent exploit of the Java bug to sneak onto the system.

Flashback.K used different infection tactics: Even though it exploited the same Java vulnerability — identified as CVE-2012-0507 — it also displayed the standard OS X password-request dialog. If users entered their password, the malware installed itself in a different location, where it was even harder to detect.   The hackers responsible for Flashback appear to be making money through click fraud, where large numbers of people are redirected to online ads not normally served by the site the user is viewing. The criminals receive kickbacks from shady intermediaries for each ad clicked.   The Java flaw used by both Flashback.S and the earlier Flashback.K was patched by Oracle in mid-February, but Apple, which maintains its own edition of Java for OS X and so is responsible for patching Java bugs, did not issue its fix until April 3, seven weeks later.   Users are infected by Flashback.S when they browse to compromised or malicious sites; the tactic is called a “drive-by” to reflect the lack of required user action beyond steering to a URL.

Because Flashback.S uses different names for the files it drops on a Mac, and installs those files in a different location than Flashback.K, it’s possible that the malware seek-and-destroy tool Apple released April 12 won’t eradicate the variant.

It wouldn’t be a surprise if Apple’s tool did not eliminate Flashback.S: Last year, cyber criminals and Apple went several rounds over MacDefender, a family of fake antivirus programs that wriggled onto a large number of Macs. Several times, the hackers responded to Apple moves by modifying their tactics or code to sidestep just-deployed defenses.   Flashback is easily the most widespread and pernicious malware Mac owners have yet faced.

 

Self-Encrypting Drives: The Evolution of Encryption

Self-encrypting devices (SEDs) have garnered little attention from those outside the information security industry. Although SEDs solve many problems such as data loss and performance issues, many organizations do not use or understand the technology. What is a self-encrypted hard drive? The drive itself protects the data, with either 128-bit or 256-bit AES keys that are stored in the drive itself – the encryption keys are generated within the drive, so there are no keys to lose. The keys never leave the drive.

There’s the media encryption key that encrypts the data, and the authentication key that is used to unlock the drive and decrypt the media encryption key. Without the authentication key, there is no media encryption key in the drive at all. You create the password, then the only way to get back onto the drive–and to the data that’s on the drive–is with the password (or passwords) you set up.

The three main benefits of Self-encrypting devices are:

1. They replace software-based encryption – can be expensive and negatively impacts device performance. Easily manage and control authorized users and authentication methods.
2. Significantly reduce the time IT spends on configuration, maintenance, and encryption key management.
3. There is no complication or performance overhead, unlike disk encryption software, since all the encryption is invisible to the operating system and the host computers processor.

Based on the Trusted Computing Group’s standard, hard drives and solid state drives (SSD), are offering self-encryption built-in. The key difference with these next-generation encrypted drives is that these units have the encryption integrated into a single chip on drive in the drive.

Securing data storage is especially important for small businesses, due to legal specifications that require companies to report breaches, and to maintain data for long periods of time for accountability purposes.

When it comes to Hardware Full Disk Encryption, there are two main use cases – Data At Rest protection, and Cryptographic Disk Erasure.   In Data At Rest protection a laptop is simply closed which powers down the disk. The disk now self-protects all the data on it. Because all the data, even the OS, is now encrypted, with a secure mode of AES, and locked from reading and writing the data is safe. The drive requires an authentication code which can be as strong as 32 bytes (2^256) to unlock.   When a Cryptographic Disk Erasure command is given (with proper authentication credentials), the drive self-generates a new media encryption key and goes into a ‘new drive’ state. The old data has become irretrievable. Unlike other forms of sanitization, this action takes a few milliseconds at most. So a drive can be safely repurposed very quickly.

Disadvantages

Pure hardware-based FDE does not have any strong authentication component Lack of scalable management; no central management component   Hardware Full Disk Encryption is only safe when the computer is off or hibernated. If the computer is stolen while turned on or only suspended, a restart which boots from a USB stick or CD may reveal the data without need for the password because it may not be prompted to be entered. Some specific hardware configurations may have additional protection mechanisms to limit this exposure.

 

Sign Up For A Free Computing Course

Udacity is a web-based college/university that offers free courses in various computer-related subjects.  Courses typically last 7 weeks, and you can follow at your own pace in your own time.  At the end of the course there’s an exam, so that you can be awarded a grade.

The courses are free to access, and cover a variety of topics, with more due to be added soon.   Check out www.udacity.com to find out more.

Microsoft SkyDrive Finally Gets Its Desktop App

Until now, the main difference between the way that you use Dropbox and Microsoft; SkyDrive is that the latter is only available via a web site.  There’s no officially supported way to mount your SkyDrive as a virtual drive in Windows 7, to which you can copy and save files.

As of today, that’s changed.  Microsoft has finally released a Windows app that integrates your SkyDrive into the operating system.  So now you have a drive which you can use just like any other, but which is held in the cloud and automatically synced to your other computers too.  Safe, secure, and reliable.  Well, as much as any cloud-based service can be.

You can get the SkyDrive Windows app from https://apps.live.com/skydrive.  You’ll need to sign up for a Windows Live ID if you don’t already have one.  And be aware that Microsoft has cut the storage allowance for new accounts, so you only get 7 gig for free instead of 25.  But it’s still more than the 2 GB which you get for free with Dropbox.

 

Can I Get an iPhone Virus?

Question: Can I Get an iPhone Virus?

While getting an iPhone virus is a legitimate concern on an Internet where there are thousands (and likely many, many times more) or viruses, most users don’t have to worry about their phone picking up a virus.

Answer: While the technically correct answer is yes, iPhones (and iPod touches and iPads, since they run the same operating system) can get viruses, the likelihood of that happening (at least right now) is extremely low. There have only been a few iPhone viruses created and most were created by security researchers and haven’t been released on the Internet.

Of the iPhone viruses that are “in the wild,” there are worms, a kind of virus, that almost exclusively attack iPhones that have been jailbroken. So, as long as you haven’t jailbroken your device, your iPhone, iPod touch, or iPad should be safe from viruses.

But Should I Get iPhone Virus Protection To Be Safe?   The answer, for now at least, is no. There aren’t any identified iPhone viruses in the wild–there have only been proof-of-concept viruses and attacks.

As you can see, deciding whether you need iPhone virus protection depends on what you do with your phone. Another way to answer the question, though, is based on what antivirus software is available for the iPhone. Turns out, not much.

However, as a reminder, if you have jailbroken your device, you should be concerned about malware and viruses.

Three versions of Microsoft’s Windows 8 OS

For those with Intel-compatible machines, the OS will be available in two versions – Windows 8 and Windows 8 Pro. For those with devices, largely tablets, powered by ARM-designed chips there will be a Windows RT version.

Microsoft wants to simplify how it markets Windows 8, which is expected to launch in autumn 2012. The complex versions of previous Windows – from basic to home, premium to ultimate – have confused consumers.

Microsoft has called Windows 8 the most significant redesign of the Windows interface since its groundbreaking Windows 95 OS.

The ARM version of the OS is the newest edition and reflects Microsoft’s desire to unify the engine known for running desktop computers with that for tablets and smartphones. Windows RT will sit alongside Apple’s iOS and Google’s Android operating systems.

A preview version of Windows 8 launched late last year and more than 100,000 changes had been made since the developer version went public. For the first time since its inception, the trademark Windows “Start” button will no longer appear – instead being replaced by a sliding panel-based menu.