Author Archives: securityresearch

Remote Password Changer – GRC Tool for Corporate

Rpasswordchanger:

This is useful for organisation which are on Microsoft active directory(AD) domain controllers. One of the problem system administrator face is they are not able to change the local admin password of the desktops of the users.

There are two issue when local admin passwords are not changed regularly

  • Organisation which have implemented some kind of GRC have to change the local admin passwords at least once a quarter/monthly. There is no straight forward method to do this.
  • Some insider attackers may crack the hash of local admin and use this to install their own set of software, which can lead to data stealing/information compromise from the local network.

Download: http://securityresearch.cysecurity.org/RPCSetup.zip

CSPF develops custom modsecurity rules for public use

CSPF has developed modsecurity rules that can protect servers from malicious hackers. This is written by Mr. Manish Tanwar & Mr. Suriya Prakash

Though OWASP CRS covers a lot of vulnerabilities it does not protect against most backdoor’s and latest bypasses.

The other rules sets that are available are commercial in nature. So CSPF is developing a growing set of rules to protect against the latest bypasses and backdoors and releasing them publicly for all to use.

The rules that we have provided can be easily expanded manually to suit your own needs.

The video below will show how to enable these rules and also show a small demo of their functions.

The mod-security rules can be downloaded here:

The rules are currently able to:

  • Block Sensitive Files/Folders from being Accessed
  • Block b374k shell variants.
  • Block some common well known shells
  • Disables directory listing and phpinfo
  • Block SQL Injection
    • Normal SQL Injection
    • Blind and Time Based SQL injection
    • All types of SQLi

 

 

How to use it?

Install Modsecurity.

Place the custom rules in a file

eg:/etc/httpd/msec/created/cus.conf

then edit httpd.conf or apache.conf (Depends on OS)

eg:/etc/httpd/conf/httpd.conf

add the lines like this:
==============================================
<IfModule security2_module>
include msec/modsecuritydefault.conf
include msec/created/cus.conf
</IfModule>
==============================================

Then restart the server.

——————————————————————————————–

Files:

Usage Video:

https://drive.google.com/file/d/0BwjcnnWhy4E3UkZwckV1UGM0SE0/view?usp=sharing

Custom Modsecurity Rule:

https://drive.google.com/file/d/0BwjcnnWhy4E3R1Y5T3ozTTJsS1k/view?usp=sharing

Custom Modsecurity Rules(Windows View):

https://drive.google.com/file/d/0BwjcnnWhy4E3cDhqWDQwbURMN0k/view?usp=sharing

 

China and Hongkong Protesters

Did Hong kong protesters use simple app in their mobile to evade Chinese switching off & monitoring cellphone towers. Apps are coming out which works without cell phone towers/mobile internet. It uses technology like bluetooth,NFC – crowd can use such technology to message each other. Should other governments learn from this???

Hongkong Protest using Firechat

Online web portals cheating the citizens of this country

A lot of web portals in India are cheating its customers by using unethical tactics in order to increase their sales.

Some of the common methods they use to exploit people are:

  1. If a user views an item a certain number of times then they increase the price of the product thinking that the user is desperate to buy it. There are automated algorithm which do this. For eg: When you browse air tickets for specific locations the rates increase when you come back to same flights(departure / destinations / same dates).
  2. Putting in “special offers” for “new” products and showing “sold out” within 30 seconds of the sale starting(they do not have many in stock). Then they show “suggestions” for other products to make the user buy them instead.
  3. Letting users buy a product that is not actually in stock, after the money is received they call and inform the user that the product is not in stock and that they will get the money back in a month. Meanwhile they gain interests out of that money, when they do this to a large number of users they will make lots of money
  4. Putting in fake “special offers”. Eg: If a product is worth 6000 INR they increase the cost of that product to 10000 INR a few days before the “offer” and then on the day of the “sale” they cut it back to 6000 INR and claim that it is a 40% offer

The Government of India should look into this type of scamming as it is happening in a wide scale in India. Also the government should look into how they are using the “big data” that is collected from the users and if they store them securely.

We recently came across an Indian site (alexa rank of <100 in India) that when given “forgot password” sends back the password in clear text to the users email. This means that they are storing the passwords without any sort of hashing; even this very basic security method is not implemented. The government of India should look into such sites and make them have mandatory security policies that secure user data and information.

APT Attack Technical Analysis

We have got this sample from corporate management computer from US & India. This word document was sent to CEO emails. Once opened it could monitor his entire activity(keystrokes) and upload files(document,excel, PPT) from his computer to a server which is hosted by the hacker. We have sent the samples to most of the antivirus/security companies around the world and uploaded the sample on virustotal so that all antivirus companies get the sample of this APT attack and protect the people across the world.
Such attacks are going to happen, the antivirus technologies are still primitive. Most antivirus products are not able to detect the word document exploit code(only 11 products around the world can handle exploit finding inside MS office files). The antivirus software give false sense of security to the customers. CSPF strongly recommends that customers start testing out these antivirus/security product rather then go by their claims. CSPF has observed that this word exploit has been around for last two years and only 11 products/ 55 antivirus find it.
Next time when you get a word doc, excel, pdf, ppt think twice to open it. The email could be spoofed to make it look like its coming from some one you know.