Walker News » Security

YouTube Videos Show How Clickjacking Works

Walker — Sat, 28 May 2011 14:22:00 +0000

There is an article on Wikipedia describes what clickjacking is. In simple words, this attack works by hiding an iframe on top of the visible web objects that prompt user to click on it.

To figure that out, these two YouTube videos might help you understand clickjacking better and how to avoid such attacks against your precious online accounts (e.g. Facebook, Gmail, etc).

Symantec demos the Facebook clickjacking attack:

Another YouTube video demos how an Internet game using clickjacking to spy on user’s webcam:

Can SysKey Prevents TRK Resets Windows 7 Administrator Password To Blank?

Walker — Wed, 20 Jan 2010 16:57:11 +0000

While I appreciate a rescue tool to reset Windows 7 administrator password in case I forgot the passkey after coming back from a long holiday, I hate to know someone using it to break into my Windows 7 machine and put my valuable data at risk. So, I rather hope there is no way to reset the forgotten password and let the data remain unrecoverable.

You probably know that how easy it is to use such tool, like Trinity Rescue Kit (TRK), to reset Windows account password of a vanilla installation. So, I am eagerly looking for best Windows security practice to prevent TRK or similar tool from breaking into Windows 7.

The BitLocker Drive Encryption could be one of the most promising Windows security features to prevent TRK crack the Windows 7 Administrator account. No one can sure it is bulletproof at now and forever. Besides, enabling BitLocker Drive Encryption might introduce significant performance issue on certain system or certain application.

For my aging Dell Latitude D410, it is going slower than expected after turning on the BitLocker. However, I cannot afford to leave data exposed when the mobile computer goes to the wrong hand. So, I turn to try Windows System Key Protection (Syskey) introduced since Windows NT (and should have been enhanced over the time).

1) At an elevated privilege Windows Command Prompt, type syskey and press ENTER. Warning: Once the Syskey is enabled, this encryption cannot be disabled.

2) Click Update button to bring up Startup Key dialog box, select “Password Startup”, give it a “complicated” password, and click OK.

3) Click OK button again to enable the good old Syskey in the hope it could really secure the SAM file (Windows Account Database).

Next, I tried to boot up TRK from USB flash drive. Surprisingly, the winpass shell scripts that execute the chntpw program stills capable to reset the Windows administrator account password to blank in no time! I guess that chntpw simply remove the encrypted password of the specified Windows account.

After rebooting from Trinity Rescue Kit, Windows 7 boots up and then Syskey prompts for the passkey as I expected, before the system proceeds to the GINA (Graphical Interface for Network Authentication).

After entering the “complicated” password I set for the Syskey, Windows 7 continues loading and then present the Desktop without asking me for the Windows account password.

Verdict

Enabling Syskey could NOT prevent TRK from resetting Windows account password to blank / empty.

However, you still have to provide a correct Syskey password in order to gain access to Windows 7 Desktop. Unless the bad guy can also crack the Syskey protection, Windows 7 reboots after a number of wrong passkey entered for the Syskey prompt. Again, no one sure the Syskey cannot be crack at now and forever.

To make it harder for bad guy, use Encrypting File System (EFS) to encrypt sensitive data files!

Optionally, turn on BIOS password so that your semi-hacker colleague couldn’t break into your Windows 7 as easy as he wish :-)

How To Prevent TRK Crack Windows 7 Administrator Account?

Walker — Tue, 12 Jan 2010 18:45:07 +0000

While the Trinity Rescue Kit (TRK) is a useful tool for computer that cannot boot up normally, this customized Linux distribution can also be one of the most dangerous tools when it is on the hand of black hat hackers. As the Chinese idiom said: “water can take boat as well as sinking the boat (水能载舟亦能覆舟)”.

To enlighten you how could this useful toolkit turns bad and how could you prevent the bad guys from breaking into the Microsoft latest Windows 7 system, I share what I have tested just now, for education purpose only.

Remember, everything in Linux is case-sensitive, so as TRK:

1) Boots up the Windows 7 computer from TRK bootable CD/DVD-ROM or USB flash drive.

2) Run winpass -u Administrator or replace the “Administrator” with any other Windows user account of administrators group (for example, winpass -u Walker).

3) Select the discovered Windows installation from the list and then choose Option 1 to reset the said Windows account password to blank / empty.

4) If the password cleared successfully, you should notice that TRK automatically create a backup copy of SAM file as SAM.trk. Take note of the Windows OS hard disk drive device file in TRK (in my screenshot, it is hda2).

5) Reboot into Windows 7. You should be able to login automatically with the user account specified to winpass shell script executed in step 2.

6) Reboot into Trinity Rescue Kit. Type mountallfs -g to mount Windows 7 NTFS file system in read-write mode:

7) With reference to the SAM file path in step 4, change directory to that folder. Execute mv SAM.trk SAM to replace the SAM file with backup copy (the original SAM file before you reset the said account password to blank / empty). By doing so, TRK effectively revert the Windows account password from empty / blank to the original state.

As you can imagine now, how dangerous it is if your vanilla Windows 7 machine is left in the public area and everyone could easily access to it.

The bad guy who uses TRK could easily gain access to Windows 7 with a blank password, do whatever things to leave a backdoor and left it back to you appear intact. I would say you won’t easily notice they have done this as you can still login with a darn complicated password that you think it is impossible for one to break it in few ten years. In actual fact, however, they can gain access in no time as they do not crack the complicated password but simply reset and revert it back.

So, how to prevent TRK cracks Windows 7 admin password?

1) Use the BitLocker Drive Encryption to secure both the operating system and data drives. While I do not read much about this Windows 7 BitLocker, but I am somewhat convinced of its encryption capabilities to safeguard Windows 7 from true unauthorized system access.

BitLocker is not available in all Windows 7 editions. BitLocker Drive Encryption is only available in a computer running Windows 7 Enterprise, Windows 7 Ultimate, or Windows Server 2008 R2.

2) Configure BIOS to prompt password for booting up Windows 7. This is not a good idea too as out there are many toolkit used for resetting BIOS password.

3) Keep an eye on the Windows system Security log in Windows Event Viewer, to spot whoever login to your Windows account without your consent.

How To Get SHA-1 Checksum Of File In Windows?

Walker — Sun, 27 Dec 2009 12:39:55 +0000

What is that SHA-1 checksum and how to compute or check the SHA-1 checksum in Windows 7?

You will come across SHA-1 checksum as you download the DVD image file of Microsoft Windows SDK for Windows 7 and .NET Framework 3.5 SP1.

Similar to MD5 checksum, SHA-1 is just another cryptographic hash values or message digest of data. While MD5 hashing algorithm creates a 128-bit hash value, SHA-1 hashing algorithm creates a 160-bit hash value.

In order to ensure a piece of data (e.g. string, file, program, etc) received by recipient is genuine or has not been tampered, the publisher will and should use a hashing algorithm (e.g. MD5, SHA-1, etc) to calculate the data checksum and pass it to recipient for verification.

Upon receive the data completely, recipient uses the same hashing algorithm to compute the data checksum and verify it against the one sent by publisher. Should the hash value or message digest match, then the data is said to be genuine or remains intact.

So, after download the Windows SDK ISO image, you should check and verify the SHA-1 checksum to confirm the image file has not been corrupted (caused by incomplete download, etc).

Although Microsoft Windows doesn’t bundle any file checksum program, cannot even find one in the latest Windows 7, there are many 3-party freeware. For example both HashCheck and digestIT 2004 are capable to calculate MD5 and SHA-1 checksum of files. The HashCheck can even compute CRC-32 and MD4 checksum, if you’re interested in these hash values too.

There is also one offer from Microsoft Download Center. However, the Microsoft File Checksum Integrity Verifier is stated as an unsupported command line file checksum utility. Well, no big deal – although it works but I bet you will not want to keep using this boring command line program after trying HashCheck that integrate file checksum functions to Windows Explorer.

Disable Adobe Reader JavaScript Function Or Take The Risk!

Walker — Wed, 16 Dec 2009 15:54:53 +0000

Do you believe that hackers could put your valuable data at risk as you open a manipulated PDF file with Adobe Reader?

Yes, it is true. With reference to an alert from Shadowserver Foundation¹, Adobe Reader with JavaScript function enabled (by default) is subject to exploit by hackers who target the security flaws. If you open a crafted PDF file with Adobe Reader that allows JavaScript execution, your valuable personal data will be at risk of being stolen.

Until Adobe publishes a latest Adobe Acrobat Reader or patch to fix this JavaScript vulnerability, you should disable the Adobe JavaScript feature in no time:

Click Edit menu followed by Preferences. Alternatively, press CTRL+K keyboard shortcut to bring up Adobe Reader Preferences dialog box.
Locate and click the JavaScript on the left pane and deselect the check-boxes to disable Adobe JavaScript from putting you data at risk.

For your info, the latest Adobe Reader 9.2 and earlier versions are all subject to this JavaScript security flaw, and the attack using this flaw is not easily detected by Antivirus and/or Internet security suite.

¹The Shadowserver Foundation is an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud.

How To Secure Gmail Connection By Encrypting Session With HTTPS?

Walker — Sun, 06 Dec 2009 05:03:30 +0000

Unless your Gmail account is only receiving newsletters or keeping emails that are not really personal and important, you should pay attention to Gmail security related announcements and features.

There is an option in Settings page, allows user to enforce Gmail applying HTTP or HTTPS browser connection:

By default, Gmail only apply HTTPS protocol during account login session (in fact that is Google Account authentication page which is later redirected to Gmail Inbox). The subsequent connection between you (the browser) and Gmail server is on the insecure HTTP protocol.

Two methods to always secure Gmail session

You can choose either one of these two methods to completely secure Gmail connection, from the moment you log in until log out:

Always use HTTPS

As shown in the screenshot (above), click Settings link (top-right corner) and access to General tab of Settings page. Locate the “Browser Connection” section, select “Always use HTTPS” and then (remember) to click the “Save Changes” button (at bottom of page).

The drawbacks of using this method are as follow:

For those who use Gmail Notifier, make sure the Gmail Notifier patch is installed. Otherwise, Gmail Notifier will work unexpectedly when “Always use https” option is enabled.
Both Google Toolbar and Gmail for mobile application might encounter unexpected errors

Explicitly tells web browser to access Gmail over HTTPS protocol

Regardless what web browser you’re using, so long as the browser supports HTTPS protocol, you can manually type this following URL in address bar and press ENTER key to forcibly access Gmail over HTTPS protocol, from the time of log in until log out:

https://mail.google.com

The advantage of using this manual method is that you can decide when to use HTTPS. If you can’t access to Google Account over HTTPS, you could simply access Google web services over the insecure HTTP protocol (if you willing to bear the risk).

How To Configure Kaspersky IS 2010 Firewall Rule?

Walker — Sun, 29 Nov 2009 20:06:55 +0000

Kaspersky explicitly claims that only version 9.0.0.736 (Critical Fix 2) and higher are compatible with Windows 7. That might not be true, however, especially to those who experiences Windows 7 hang problem when copying some files with Easy Asian characters.

In addition, I don’t think that everyone happy with its new Firewall rule maintenance interface. To me, it is confusing and not user-friendly.

Kaspersky IS 2010 Firewall “problem” and solution

These following guides are made with reference to version 9.0.0.736, the latest Kaspersky IS that said compatible with Windows 7, at this time of writing.

1) Trusted applications are automatically allowed to all network activities. In some occasions, I hardly able to stop a new program from sending information to Internet right after installation have done, because the program signed with digital signature and thus classified as trusted program.

To prevent this from happening, I’ve to disable the network card from Windows during installation. After installation completes, define a new Firewall filtering rule that block all network access to supersede default rules set by Kaspersky.

To add user-defined filtering rule to a program: In Firewall filtering rules, select target program in the list and click “Add” link (at bottom) to proceed with Network Rules dialog box (as shown).

2) Are you mad looking for a way to delete application from the Firewall filtering rules?

You cannot manually delete an application appears in Firewall filtering rules setup page. You can, however, delete the application from Application Activity Control – right click a program from the list and select “Delete from the list”:

Click the Kaspersky icon in Notification Area (System Tray). Alternatively, go to Start button > All programs > Kaspersky Internet Security 2010 to launch the security program.
In the main program user interface, click “My Security Zone” follow by “Application activity” link:
Select “All” from the Category drop-drop list box, locate the unwanted program and right click to select “Delete from list” option. That’s the way to delete or housekeep unwanted firewall rules in Kaspersky IS 2010!

3) Kaspersky IS 2010 will automatically delete programs from firewall filtering rules, if the programs remain inactive for a number of days that defined by user. Right click Kaspersky icon in Notification Area, select Settings, click Application Control on the left panel, and tick the check box labelled as “Delete rules for applications remaining inactive for more than xx days”.

Not happy with the new Kaspersky IS? Well, you have choice to live with it or drop it and pick up alternative Internet security software to safeguard your lovely Windows 7.