I’m currently writing a research paper studying the language of spam and online email scams. Without revealing too much, I basically need to get spammed. A lot. More will be revealed once I’ve gotten a bit further with it, but until then, I’ve created a disposable email account for the job. I’d be hugely appreciative if you could post said email around the tubes.

The email is bliddle53@gmail.com.

Cheers!

Matt Hughes

Named after a comment on a Russian forum which described the SecurityBSD project as ‘banal sh**t’, it features all new security and developer tools and some boot sequence customization.

Thanks again to John Bell for bandwidth and hosting. It’s greatly appreciated.

As with the last edition, the username and password for login is root and toor. Expect some rudimentary documentation in the next two weeks, schedule permitting.

Download it here.

In this course, we learn about the very exciting world of web application testing. In recent years, web applications have become widespread to the point of ubiquity, with banks, retail, social networks and more using them. Here, we learn to identify and exploit vulnerabilities in web applications in order to enhance security.

In the first Spiderman film, Ben Parker says ‘With great power comes great responsiblity’. The same is true with the skills you will learn in this course. Do not use these techniques on any systems or websites that you don’t own yourself, or have permission to use them on. Neither I, nor Condé Nast, nor University of Reddit, nor the makers of DWVA are responsible for anything illegal you do with the skills you learn from this course.

Act responsibly, have fun and I hope you find this course rewarding.

Introduction

Hi. My name is Matthew Hughes and I’ll be your tutor for this course. I’m a first year (going on second year) student at Northumbria University in the UK, studying Ethical Hacking for Computer Security.

In this course, we will learn about a selection of the avenues of attack used by hackers to break in to popular web applications. We will do it by using a popular tool called DVWA that replicates the common vulnerabilities found in many poorly designed and developed websites, allowing us to learn about the attack methodologies used by black hat hackers.

Why is penetration testing so important?

Imagine you’re a boat maker. Now, one of the most important functions of a boat is to not sink. When a boat maker makes a boat, he’ll check the hull for any holes so that there’s no chance of water seeping in and submerging the vessel.

The job of an ethical hacker/penetration tester is similar to that of a boat maker. You’re looking for weaknesses, not out of malice, but out of an obligation to protect whoever relies on the system being tested.

Everything, from our vital infrastructure, to online and high street retail relies on computers, the vast majority being networked and on the internet. This presents an enticing opportunity for hackers who would seek to disrupt our way of life for either financial gain or ideological reasons. Penetration testing exposes vulnerabilities, so that they can be repaired before they are exploited.

Penetration testing isn’t important. It’s vital.

Lesson Objectives

1.) Learn how to install XAMPP and DVWA.

2.) Learn how to recognize and exploit reflected cross site scripting.

Getting Started and General Prerequisites

There are a few prerequisites. First of all, you have to have a computer running either the GNU/Linux or FreeBSD operating system. For those of you who have a system running Windows, you have two choices. Download a copy of Sun Virtualbox and install Ubuntu in the virtual machine, as explained here. A quicker and easier way is to go to wubi.com and install Ubuntu to your computer by using that. A guide to installing Ubuntu Linux can be found here. If you have a computer running GNU/Linux or FreeBSD, you can skip this step.

NB: Although we can run the XAMPP web server on Microsoft Windows, for the sake of giving everyone the same experience and content in the lessons, we’re going to be using Linux/FreeBSD. I’ve also heard horror stories of getting XAMPP working on certain versions of Windows, so it’s easier for everyone involved if everyone is starting from the same point.

NB: If you’re on a Mac, you’ll have to use Virtualbox or VMWare. Wubi is Windows only.

The second, most obviously, is a copy of XAMPP. XAMPP is free, open source software and can be downloaded from here, along with instructions for a successful installation. XAMPP is a bundling of the software you’ll need to get started, including Apache, MySQL, PHP and more.

One installed, download a copy of DVWA. Unzip it, and copy the contents to the ‘htdocs’ folder where you installed XAMPP. Congratulations. You’ve just installed DVWA. Give yourself a big pat on the back.

NB: From personal experience, I’ve found that when copying DVWA in to the ‘htdocs’ folder, you can hit in to a few obstacles. To remedy this, you will have to run a simple command on the root of the ‘Lampp’ folder or the ‘htdocs’ folder. This command is simply ‘Chmod a+rwx’.

What is Cross Site Scripting (XSS)?

According to the OWASP Top 10, 2007 Edition, ‘XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites and possibly introduce worms, etc’.

In this lesson, we will be looking at reflected cross site scripting. This is basically user submitted data reflected back at the user. There are two other kinds, known as DOM and stored cross site scripting. This will be expanded upon in later lessons.

Testing for Reflected Cross Site Scripting (XSS)

With everything set up and XAMPP running, go to http://localhost/dvwa. Log in to DVWA with the username ‘admin’ and password ‘Password’. If you’re not made the automatic database yet, go ahead and make that.

If the DVWA database isn't set up, you'll see this.

Once that’s done, navigate to DVWA Security and change the security value from ‘high’ to ‘low’. Now, you’re ready to get hacking.

Navigate to ‘XSS Reflected’ and type in ‘<plaintext>’ and press enter. You’ll see a whole bunch of code. Congratulations, that shows that there is an XSS vulnerability.

Now, type in <script>alert(‘xss’);</script>. Embedded within the two HTML script tags lies a piece of Javascript that brings up a browser alert with the message  ‘xss’.

What’s happened here is that the web application renders the code you provided. Reflected cross site scripting isn’t just making fancy little pop ups. It can be passed on to other end users and can cause some real damage.

Conclusion

In this lesson, we should have an understanding of what DVWA is, why penetration testing is important, how to set up XAMPP and DVWA and also have a basic understanding of how reflected XSS works, how to test for it and how to exploit it.

The next lesson will move on to stored XSS and SQL injection. It’s advisable that anyone who is not too familiar with SQL reads this tutorial.

Homework

Go to http://ha.ckers.org/xss.html and play around with the code snippets provided. Just get an understanding of DVWA and what XSS is.

Addendum

A lot of people are going to find the pace of this course frustrating. I aim to release a lesson every week, but realistically, that won’t be enough for some people. I therefore am going to suggest that people buy a copy of The Web Application Handbook by Daffyd Stuttard or the OWASP Testing Guide 3.0. Both are very worthwhile books for any web application hacker. I’d like to place particular emphasis on the Web Application Hackers Handbook. It’s the most comprehensive, well written book on web application hacking I’ve ever seen.

If you have ANY issues getting started, or even any questions, please send me an email at me [ at ] matthewhughes [ dot ] co [ dot ] uk. I can also be reached on @matthewhughes on Twitter or matthugheswidnes on Skype. I’m really happy to help. I’m travelling for the next week though, so I might not be able to get back to you in anything resembling a timely manner.

When I interviewed Greg for my podcast, I let him have his say without his views being misrepresented. I’ve wanted to write about the current furore for a while now, but I couldn’t decide on the best way to do it. I was in the process of writing a somewhat facetious limerick poem about the drama, but I decided instead to simply write and explain what happened. This is largely because of two reasons; nothing rhymes all that well with plagiarism and that it’s a genuinely serious subject. People have been falsely accused of racism and have been sent threats of violence for talking about LIGATT, and I ought to approach the subject with the seriousness that it deserves.

Besides a discussion on the subject on the next Student Hacker Information Technology Podcast episode, this will be the last time I talk about the subject (provided that Greg doesn’t do/say anything really stupid). Greg is just a troll, and you should never feed the trolls.

Introduction

Danny Kaye is regarded to be one of the best actors of all time. One of his most famous films was called ‘The Secret Life of Walter Mitty’. It featured a dreamer and fantasist called Walter Mitty, who imagined himself in fantastic scenarios and adventures that simply weren’t true. We can make parallels between the character of Walter Mitty and Gregory D Evans, the CEO of LIGATT security international, who in recent weeks has caused an outburst of unprecedented anger in the information security industry on account of the fantastic and ultimately false stories he has woven about his own history and expertise in computer hacking; plagiarism of copyrighted texts without the consent of the authors; threats of violence to well established computer security professionals and false allegations of racism towards a number of prominent people in the computer security industry.

Greg Evans

Greg Evans is a fantastic story teller. Not unlike Walter Mittys fantasies of protecting priceless treasures and fighting Nazi’s, Greg has imagined himself as a former expert cracker gone good. Whilst it’s true that Greg Evans was sentenced to 24 months in jail along with a $9,000,000 fine for wire fraud and conspiracy against AT+t and MCI, much of his story doesn’t add up. He talks about developing a close friendship with Kevin Mitnik in jail, and advising him to take federal plea bargains, a claim that Kevin Mitnik flatly denies. Kevin, on a post on the popular micro blogging website, Twitter, says that he did not discuss hacking or his case with him, only his family and his lawyer.

Upon release from prison, Evans started a new company called LIGATT security, which currently trades for a fraction of a cent per share on the notoriously risky ‘pink sheet’ bulletin boards. Here, he offers a number of products which are aimed at making cyber security easier, or making online law enforcement easier. He also wrote a number of books that have had limited commercial success and has supposedly purchased a number of information security portals, one of which is called National Cyber Security and will be discussed later in the blog post.

How To Be The Worlds Number One Hacker

Greg Evans markets himself as the worlds greatest hacker. He has made youtube videos to the same extent which feature a montage of pictures of him in national and regional press to a backdrop of bad music. His book is titled How To Be The Worlds Number One Hacker, and has met mixed reviews. The book is written in the name of Gregory Evans, and does not mention any other authors or contributors than Gregory Evans. Unfortunately, it has received fierce criticism as a work of unmitigated plagiarism, with some sections of the book containing no original content whatsoever.

When I interviewed Greg Evans for the Student Hacker Information Technology Podcast, I asked him if his book contained sections that were plagiarized. He responded that he had paid for the sections that were not his own. Unfortunately, that has been flatly denied by the people whose content was plagiarized. It has certainly caused a great deal of uproar in the information security community, a tight knit community where people take care of each other and academic honesty is valued above all else.

National Cyber Security

National Cyber Security (which is not to be mistaken for National Cyber Security Division, a section of the US Government Department for Homeland Security, nor the National Cyber Security Alliance, nor the National Cyber Security Center), is a web portal for information security news owned by LIGATT Security International. It has faced severe criticism for plagiarism and unauthorized reproduction of content not owned by themselves. It’s important to note that the plagiarism in the LIGATT articles aren’t simply a paragraph here or there, but wholesale lifting of articles from other news sites.

It’s also important to note that NSC had what can best be described as ‘phantom reporters’. Seria Mullen, one of the supposed contributors to the blog happened to look an awful lot like Chloe White Kennedy, a reporter for Knox News. Another reporter, Grey McKenzie is virtually unknown other for his posts on NSS, and a virtually unmaintained twiter feed.

When the infosec community discovered the level of unauthorised appropriation, LIGATT went in to damage control mode, removing content and shutting down the website for periods at a time. Unfortunately for Greg the damage was done. National Cyber Security was exposed as a fraud, plain and simple.

Greg Strikes Back

Greg has been accused of sending death threats towards prominent podcaster, writer and computer security professional Chris John Riley. Whilst Chris was trying to arrange an interview with Greg for the Eurotrash Security Podcast, he raised the ire of Greg, causing him to leave a threat of violence on his blog post. It goes without saying that threats of violence are simply not acceptable in polite company, especially not in the computer security industry where ideas and knowledge is king. Hackers don’t threaten each other with violence. We share ideas in a public forum and then scrutinize them, just like a scientist shares data for others to peer review it.

Not content with threats of violence, he has also resorted to sullying the reputations of Ben Rothke and Chris John Riley with accusations of racism. Racism has no place within our society, and accusations of racism are serious indeed, and have the capacity to damage anybody’s reputation and career. Racism is nasty and damaging, and throwing around groundless accusations of racism is not only an insult to the genuine victims of racial prejudice,  it also places in jeopardy the careers and personal standing of the people accused of it.

With this in mind, it’s important to note that the two people accused of racism by Greg Evans are Ben Rothke and Chris John Riley, who are critics of LIGATT security and are most definitely not racist. Literary criticism is not synonymous with racism.

Greg Evans’ book was not criticised because of any prejudice against African Americans. Indeed, on the internet, race is irrelevant. If the internet was a country, it’d certainly be one of the least homogenous countries in the world. How To Be The Worlds Number One Hacker was criticised simply because it was filled with other people’s content, not to mention a boatload of grammatical and spelling errors.

For Greg Evans to make a press release accusing Chris John Riley and Ben Rothke of racism is not only an insult to the many people who have to live with racism as a day to day reality. It is also most certainly slander, and one can hope that one day, Greg sees the error of his ways and releases a full retraction and makes a sincere apology to those who have been affected by his lies.

Conclusion

Greg Evans is a charismatic, intelligent guy who certainly knows how to market effectively. He genuinely could do a lot of good, as he knows how to engage the media and market effectively. He could do a lot to enhance awareness of cyber security issues, instead of releasing shoddy books that were built on other people’s hard work and making threats of violence and false accusations of racism. Greg needs to repair the bridges he burned with his general silliness with a sincere, frank apology and restitution to those whose content he ripped off.

In The Secret Life Of Walter Mitty, things work out in the end for Walter. It’s up to Greg Evans to decide how this saga ends.

The UK really is the prime place for a hacking conference. We have a level of enthusiasm and expertise in the computer security fields that parallels most other Western countries. Newcastle also is a prime location for a computer security conference, with an expansive public transport network, an international airport and amazing nightlife (I speak from experience). It also has a top-50 university which does a well respected Ethical Hacking course. Surely then, Newcastle is an ideal city for a con. Despite all this, nobody has run a convention in the Newcastle area.

I’ve always been enthusiastic about computers and security, to the level that I chose to study computer security at degree level. I read about it constantly, and hacking conferences have always fascinated me. In a moment of inspiration, I decided to buy a domain name, and investigate the possibility of a sub-small-scale security conference in Newcastle, where ticket prices were affordable and it allowed younger talents to showcase their projects, ideas and skills to their peers and potential employers and investors.

Let it be said that I think the likelihood of a security conference emerging from this late night fit of inspiration to be very, very slim, for a number of reasons which I will list in detail below. I also don’t think that if a security convention did emerge, it would be by any means successful, be it fiscally, personally or with regards to its aims.

The first reason why is that I am honestly the worst person imaginable for hosting a security convention, on a number of levels. The first reason is that despite my enthusiasm for the subject, and constant desire to learn more, my level of expertise is virtually negligible compared to the many people my age who know a lot more than me, when it comes to computer security. Whenever I am doing anything with regards to computer security, I always approach it with a degree of humility, because I’ve got a lot to learn. This, despite not disqualifying me from running a con, probably suggests that it’s not the best idea.

The second reason is that conventions are notoriously difficult to run, according to… Well… People who have ran conventions before. You’ve got to book speakers, book a room to host it, get interest in the actual convention itself. This is a hefty amount of work. On top of this, you have to ensure that things run smoothly and there are no hickups. Which brings me on to my next point…

I study ethical hacking at great expense because I enjoy it and want to make a career out of it. To do that, I need to work incredibly hard. I’m doing an incredibly intensive course where you can’t really be abstract. You have to be incredibly precise and know your stuff. This means you have to study insanely hard. It’d be nigh on impossible to maintain a decent social life, study hard and manage a convention at the same time. From what I understand, it’s a real timesuck, which wouldn’t bode well for my studies.

There are other, smaller, but still important issues that put me off hosting a’ con. The first is the issue of liability. I wouldn’t want to be held responsible for any stupidity that goes on that breaches a law, or gets me in trouble with my university. It’d be a bit of a pain, cobbling together the early investment. Function rooms and speakers aren’t cheap. I also don’t really have that many contacts within the computer security industry to help garner enthusiasm for the event.

Conversely, a short, affordable number of presentations relating to computer security would be potentially a good thing. It would undoubtedly generate and enhance enthusiasm, awareness and knowledge of the field of computer security in people who normally wouldn’t be able to make it to one of the larger, and more expensive, conventions.

It also gives a staging ground to display locally developed projects and knowledge by people, predominantly students, who normally wouldn’t have access to the decision makers in computer security.

If I was to realize my aspiration of launching a ‘con in the North East, it’d be simple. Just a one day, or half day event with speakers making presentations on computer security in a function room, or in a small lecture room. It’d be straight to the point, affordable and would be open to anyone with a good idea, or something cool to show or teach.

I want to say that I’ve not decided anything regarding a potential Newcastle based convention (which, I’ve named GeordieCon). I’ve registered a domain name (geordiecon.co.uk), but nothing more, and if nothing becomes of this project, I won’t be too upset. Honestly, I’m just investigating the potential of launching a convention in the North of England. Admittedly, I’d like to launch one, but in the real world, you can’t always have what you’d like, and it’s much more sensible to approach this with a cautious, investigative eye.

If anyone has looked in to launching a ‘con before, or has actually done one, or even runs regular technology meetups, feel free to comment on this post and give advice or feedback. Like I said, I’m just investigating the possibility of a convention in the North of England. Nothing has been decided yet, despite how much I’d like to make this a reality.

Matthew Hughes

]]> http://matthewhughes.co.uk/2010/05/securitybsds-new-logo/feed/ 1 http://matthewhughes.co.uk/2010/05/be-careful-what-you-post-on-facebook/ http://matthewhughes.co.uk/2010/05/be-careful-what-you-post-on-facebook/#comments Wed, 19 May 2010 01:19:59 +0000 Matthew Hughes http://matthewhughes.co.uk/?p=756 Facebook is a pretty cool site. Around 400 million people use it to share videos and photos, talk with friends and family and play games. However, Facebook as an entity has shown a blatant disregard for the privacy of its end users. A new website called Openbook shows the pitfalls of Facebook privacy settings by making a search engine that shows what facebook users are posting in real time. As you can expect that with 400,000,000 users, some will mistakenly make some status updates that they’d rather keep private, but end up on the openbook search engine.

What a delightful specimin of humanity. I, for one, are glad that people like the above are our next generation of doctors, lawyers, teach… Oh wait. Never mind.

(On an unrelated note, the garbage she is talking about refers to where someone attached England flags to property that didn’t belong to them, and they were cut down and returned to the owner. Nothing as sensational as a blanket ban on the England flag.)

I… Uh… Don’t think that’s how politics works, dude.

Yeah, you probably shouldn’t post a status like that Eric. Especially with open privacy settings…

Whilst it’s almost inevitable that the likes of 4chan and other internet riff raff will use a tool like Openbook to get as many people fired from their jobs as possible, it serves a purpose to educate people that Facebook isn’t the best place to post ill informed diatribes or rants about your employer.

If anyone takes anything from this blog post, it’s that you should really, really make your Facebook privacy settings the most strict that you can (or even better, delete your facebook account). What you post on Facebook isn’t private. If you post something potentially embarassing on the site, and it becomes viral, there’s nothing you can do about it. Whenever you post a status update, or upload a photo, just think ‘is this a good idea?’

Food for thought, anyway.

All in all, it’s all pretty cool. Screenshots below.

This will be included in version 0.02, and, in my opinion, is pretty damn cool.

Thanks again to Leonardo.

Named after a comment describing SecurityBSD on a Russian blog which translated, meant ‘Banal Shit’, SecurityBSD 0.02 is the next step in the FreeBSD based security distribution. This distribution has three aims: Functionality, customization and expansion. It will feature more security tools, it will fix config files to make sure that each application works as intended and the boot process will be adorned with the SecurityBSD branding.

We are looking for a late June release date for a number of reasons, which will be discussed on a separate blog post.

This version will also be ported to the O2 Joggler, which I will elaborate on in a later post.

Matthew Hughes