Hands-On Project 4-3 (Page 150)

Objective ad verbatim:

“Substituting a fraudulent IP address can be done by either attacking the Domain Name System (DNS) server or the local host table. Attackers can target a local hosts file to create new entries that will redirect users to their fraudulent site. In this project you, add a fraudulent entry to the local hosts file.” (Ciampa, 2009)

Process:

1. First, I started up Mozilla Firefox and pointed the browser to www.course.com and made sure that site was corrected resolved.

2. I went to Google and repeated the step above.

3. Next, I ran Notepad with full administrator privileges.

4. I navigated to the file C:\Windows\System32\Drivers\etc\Hosts and opened it. I appended “74.125.47.99 www.course.com” to the file and saved it.

5. I went to www.course.com once more and was surprised to see it being redirected to Google. I returned to the hosts file and deleted the entry. After a few moments, I was able to access www.course.com again.

Reflection:

Using a simple host file append, an attacker can redirect sites that are visited often to sites that are dangerous (e.g. a site that spoofs Facebook and prompts you for your login credentials when you access the legitimate www.facebook.com). One way to prevent this is to never allow programs that you do not absolutely trust access to Administrator level actions.

However, modifications to the host file can be useful in limiting the other users of the same machine such as a child from accessing sites that are not desirable. This can be an easy approach to prevent the child from surfing to sites which contain objectionable material.

Sine Cera,

Jeremy Heng

"Quis custodiet ipsos custodes?"

Hands-On Project 4.3 Sources

Hands-On Project 4-1 (Page 148)

Objective ad verbatim:

“A protocol analyzer (also called a sniffer) captures packets to decode and analyze its contents. In this project, you download and install the Wireshark protocol analyzer.” (Ciampa, 2009)

Process:

1. First, I opened up Mozilla Firefox and pointed the browser to www.wireshark.org and downloaded the installer.

2. After the download completed, I ran the installer and launched the program.

3. I then clicked Capture and then Interfaces. I selected ‘Microsoft’, the only interface showing any packet activity.

4. To generate some activity of my own, I opened up the Command Prompt, typed in “ftp server1” and ran the request.

5. Next, I went to www.bluehost.com/cgi-bin/uftp/ and entered in the login credentials (Login: Gerald, Password: happy). I received a login failed message.

6. Returning to Wireshark, I ran a search for the string, “Gerald” to no avail. I ran a few more searches with variants of the word like “Ger” and “ald”. In desperation, I ran searches looking for “happy” and some variants. After a few attempts, I realized that Wireshark might have started to encrypt the login details sent to the server.

7. Giving Bluehost up, I proceeded to start up my own existing server on the local network. I wrote a quick html form that accepts two fields: Username and Password and sends it to a .asp on the server to authenticate. Typing in the same credentials as above, I sent the request to login with Gerald (of course returning a failed login as well; I hadn’t added it to my list of allowed users).

8. Returning to Wireshark, I ran a search for the same string (“Gerald”) and this time, I got a hit right away. I right clicked on the packet and selected ‘Follow TCP Stream’ and ran a ‘Find’ for the string “Gerald” in the window that came up. I could easily find the password as the credentials were sent to server in very easily read plain text (Login=Gerald&Password=happy).

Reflection:

From this project, one can easily see how login credentials sent using a simple html form or code that provides no obfuscation at all to the data sent to the server can be stolen by simply examining the packet bytes. This simple packet sniffing technique can be easily circumvented by scrambling the input of the text beforehand before sending it out in the clear text.

However, simply writing a simple algorithm to do that directly into the page code (with PHP) might hinder an attacker merely for a brief moment. Examination of the page source might reveal how the data is encrypted and the attacker might reconstruct the original credential details by reverse engineering the algorithm.

This project also teaches me the importance of making sure a web page is secure before performing important tasks like online banking or shopping. This can be done by establishing a connection to the web site with https:\\ and Secure Socket Layers (SSL).

Sine Cera,

Jeremy Heng

"Quis custodiet ipsos custodes?"

Hands-On Project 4.1 Sources

Hands-On Project 3-3 (Page 113)

Objective ad verbatim:

“Setting browser security is important to keep a computer secure. In this project, you use the Windows Internet Explorer (IE) Version 7 Web browser.” (Ciampa, 2009)

Process:

1. First, I opened up… Internet Explorer (ew) and clicked on Internet Options and then selected the General tab.

2. Next, I clicked Settings under Browsing History and then View Files.

3. I selected a cookie from the list and viewed its contents in Notepad. This cookie contained quite a substantial bit of information when compared to other cookies like Google’s for 

4. I then deleted all Browsing History.

5. Following that, I clicked Tools and pointed to Manage Add-ons and from the drop down menu: Add-ons that run without requiring permission.

6. Next, I opened up the Security tab found in Internet Options.

7. I then clicked on Custom Level and scrolled through the ActiveX Security Settings. It seemed sufficient to me, providing the user with a host of controls.

8. Now, I went to www.documentingreality.com.

9. I then placed www.documentingreality.com into the restricted websites list.

10. I went back to www.documentingreality.com.

11. Finally, I clicked on the Privacy tab and looked at the slider. I also checked the prevent popup checkbox.

Reflection:

ActiveX controls are very dangerous when given full reign. If a user allows access to an ActiveX control that is malicious, it may prove disastrous since it has the ability to modify files and work at a very high level. This project has taught me that the user should be more aware of the security features of a browser and that proper setting of options for security is very important, especially for browsers, programs that are at the very front of the internet interface.

Sine Cera,

Jeremy Heng

"Quis custodiet ipsos custodes?"

Hands-On Project 3.3 Sources

Hands-On Project 3-2 (Page 111)

Objective ad verbatim:

“Antivirus software is important yet free AV products may not offer the best protection. In this project, you download a virus test file to determine how your AV software reacts. The file downloaded is not a virus but designed to appear to an antivirus scanner as if it were a virus. You need to have antivirus software installed on your computer to perform this project.” (Ciampa, 2009)

Process:

1. First, I clicked Start - Control Panel - Security - Security Center. I checked that Virus Protection was turned On.

2. Next, I started up Mozilla Firefox and pointed my browser to http://www.eicar.org/anti_virus_test_file.htm and read the “Anti-Virus or Anti-Malware test file” information. Following that, I downloaded “eicar.com”.

3. When the download completed, my antivirus gave me a warning about the file I just downloaded.

4. Next, I downloaded “eicar_com.zip”. There were no warnings given about the download.

5. I then scanned the .zip file manually for viruses. This time, it detected the infected file.

6. Last, I downloaded “eicarcom2.zip”, a double compressed file. No warnings were given about the download.

7. I then scanned the file when the download completed and it detected infected files.

Reflection:

With the advent of high-speed internet and the greater content available for download over the internet, it is no doubt that a deluge of malware and viruses accompany these downloads. Thus, the importance of antiviruses with internet scanners. From the project, I noticed that although my antivirus had caught the test file during download in its uncompressed form, it allowed the zipped versions to pass through. 

This made me think about double confirming that a file is free from infection by manually scanning every downloaded file instead of relying on the download scanner. Also, this prompted me to check how many people actually scanned a file after download. I did a survey with my contacts over MSN Live Messenger and found that only 40% of them scanned a file most of the time and 10% scanned them conscientiously.

With viruses being able to circumvent virus scanners by simply zipping themselves up, it becomes a weak point when users trust their antiviruses to blindly detect malicious code and open the .zip without thinking that the compressed file could be infected.

Sine Cera,

Jeremy Heng

"Quis custodiet ipsos custodes?"

Hands-On Project 3.2 Sources

Hands-On Project 2-3 (Page 72)

Objective ad verbatim:

“One of the methods for blocking a USB drive is to use third-party software that can control USB device permissions. In this project, you download and install a software-based USB write blocker to prevent data from being written to a USB device.” (Ciampa, 2009)

Process:

1. Firstly, I opened up Mozilla Firefox (JAPH) and pointed the URL to http://www.irongeek.com/i.php?page=security/thumbscrew-software-usb-write-blocker. I then downloaded Thumbscrew to a thumb drive.

2. Next, I turned on VMWare and plugged in my thumb drive into Windows XP. I navigated through explorer to the thumbscrew folder in my thumb drive and started the executable up. An icon appeared in the system tray. I checked to make sure the disk protection was off.

 Host View

3. I returned to my desktop and right clicked on the text file that was created during Hands-On Project 2-2. I selected ‘Send To’ then clicked on my thumb drive.

 Host View

4. Then, I opened up Explorer and navigated to my thumb drive. As expected, the file was found in the thumb drive’s root directory.

 Host View

5. I clicked on the tray icon next and selected ‘Make USB Read Only’ from the pop up list.

 Host View

6. Next, I created another text file and attempted to send it to my thumb drive via the same method.

 Host View

7. An error message was shown.

 Host View

Reflection:

From this project, I learnt how easy it is to make a USB device unreadable on a computer. It is a skill I do not foresee using much in the near future, but it might prove useful.

Sine cera,

Jeremy Heng

"Quis custodiet ipsos custodes?"

Rest in Peace, Dio.

Hands-On Project 2.3 Sources

Hands-On Project 2-2 (Page 71)

Objective ad verbatim:

“A keylogger program captures everything that a user enters on a computer keyboard. The program runs invisibly in the background and cannot be detected even from the Windows Task Manager. In this project, you download and use a keyboard logger.” (Ciampa, 2009)

Process:

1. Firstly, I opened up my trusty Mozilla Firefox and headed to http://www.softdd.com/keystrokerecorder/index.html whilst painfully ignoring the security warnings that the page was dangerous. Following the instructions, I downloaded the application to a thumb drive.

2. Before doing anything else, I ran an anti-virus scan on the file downloaded. No threats were found in the installation.

3. I then opened up VMWare and started up Windows XP. Next, I attached my thumb drive to the Virtual Machine and ran the Keyboard Collector Trial Setup application.

Host View

4. When the program finished its install, I launched it. I made sure “Always Run (Ignore Start Time)” was checked and pressed “Activate/Start” to activate the keylogger.

 Host View

5. Next, I created a text document on the desktop.

Host View

6. I wrote in the document.

 Host View

7. I went back to the keylogger to check the results of the key capturing, they were very alarming. The log was very readable, preserved almost perfectly as it was typed and considering the lack of warnings that popped up, it was pretty much silent. (Though there were no anti-viruses instead on the Virtual Machine at all)

Host View

8. On further inspection during the keylogger’s runtime, it is discovered that the program is invisible in the task manager. I snooped around deeper and found a rouge process called kcol23.exe. It is barely noticeable to an average user.

Host View

9. Finally, I removed the keylogger from my Windows XP system and performed a system restore to be sure that the malware is totally wiped from the system.

Reflection:

Keyloggers are bad news. In fact, it’s pretty horrible news. It allows an attacker access to your authentication credentials. It will certainly cause a lot of loss whether it be as innocent as your game account or the money in your bank.

From this project, I can see how easy it is to look through logs with key strokes collected and steal information. Also, it is unnerving to see how easily a program can hide itself when it wants to, concealing the fact that it is there watching your every move and recording them down just for the hostile attacker.

Some people don’t even realize that their data is being stolen and recorded until it’s too late.

Sine Cera,

Jeremy Heng

"Quis custodiet ipsos custodes?"

Hands-On Project 2.2 Sources