Pastejacking: what if what you paste is not what you copied!

Those little javascript codes in websites that no one ever check can push notifications and get geolocation with your permission; it can also store files in your cache, open windows, log keystrokes, follow your mouse movements andoverride your clipboard without your permission!

Well, the issue here is that you can not be sure of what you have in your clipboard! I can think of 2 case scenarios that this can be a security issue:

  • When a normal user copy the content from websites and paste directly into a vulnerable software (Microsoft Word?!) and the copied contents simply trigger the vulnerability.
  • When an admin copy and paste some command directly from a website (tutorials?!) into their terminal! This is the creepy one cause depends on the privilege of admin (duh!!) it can download and execute scripts; and then to make things looks OK performs a cleanup and probably do what it supposed to do !!

If you are thinking of disabling javascript, CSS (Cascading Style Sheets) can also be used to hide some contents among what you are copying! The problem with CSS is that you can not be sure what you are copying!

The solution is not that difficult though: just be aware of what you paste, where you paste and think twice before you paste!! Perhaps just paste in a notepad first, or just get a clipboard manager!

P/S: You can find a simple demonstration here:

GitHub – dxa4481/Pastejacking: A demo of overriding what’s in a person’s clipboard

Advertisements

VirusTotal and changes in endpoint security

As you may know, VirusTotal is a Google owned company with huge resources where you can simply get the result of checking a file against multiple AntiVirus (AV) engines.

I recently get to know an announcement from VirusTotal (VT) that probably affects many endpoint security companies. The fact is that VT provides a rich API that enable almost anyone to build their own AV. This easily could be misused by startups endpoint security companies who simply did not have a proper engine but thanks to VT (and hard work of all the powerful AV engines in VT) could simply get a very good detection rate.

During my experience with AV engines it always bothered me that how easy it is to fool everyone without even having a proper engine! Well, now with recent announcement I think this issue is resolved as it strictly forces AV companies to share their engines with VT if they are going to use community’s results.

Perhaps we could expect some of the wrongly praised companies go down since they are no longer able to access VTs results; and most probably have no presentable AV engine to share with the community in return!

Do we take security seriously?

No! As a matter of fact no one does and that is why even the biggest enterprises get hacked at least once! Security is like a submarine that even smallest holes can let the water to get in the submarine.

I just went through a very interesting attack. It is interesting not because of any complicated attack but the target of the attack! This is actually an old news but interesting to find the details of how Hacking-Team got hacked!

You can find it here: https://pastebin.com/raw/0SNSvyjJ

What have the target done wrong? I would say not taking the security seriously. This is a little reminder that security is a culture and no matter how much we know about it we may actually get hacked (or in this case assist the hack) with our rookie mistakes. You can go through it and see the main defence of the target was their network edge and once the hacker passed it, no more serious security exist!

Linux restricted administration

One of the challenges when adding a user in Linux environment is when you need to precisely define what they can or can not do. Some may find configuring authorisation in Linux a bit complicated. In my case I needed to add a user with privilege to execute some commands with sudo but without full root access.

The first thing is to create the user we want to customise:
adduser jack

and then create the key and later pass the id_rsa to him:

ssh-keygen -t dsa
mkdir jack/.ssh
chmod 700 jack/.ssh/
cp id_rsa.pub jack/.ssh/authorized_keys
chmod 600 jack/.ssh/authorized_keys
chown -R jack:jack jack/.ssh

Then you should edit the sudoers:

visudo -f /etc/sudoers.d/developers-configs
User_Alias DEVELOPERS = jack,john

Cmnd_Alias SEELOGS = /usr/bin/tail /var/log/nginx/*.error, /usr/bin/tail /var/log/nginx/*.access, /bin/grep * /var/log/nginx/*.error, /bin/grep * /var/log/nginx/*.access

Cmnd_Alias EDITCONFIGS = /bin/vi /etc/nginx/site.d/*.conf, /usr/bin/nano /etc/nginx/site.d/*.conf, /bin/cat /etc/nginx/site.d/*.conf

Cmnd_Alias RESTARTNGINX = /sbin/service nginx status, /sbin/service php-fpm status, /sbin/service nginx restart, /sbin/service nginx configtest, /sbin/service php-fpm restart

DEVELOPERS ALL = NOPASSWD: SEELOGS,EDITCONFIGS,RESTARTNGINX

We just create DEVELOPERS as alias for users and SEELOGS, EDITCONFIGS, RESTARTNGINX as alias of commands the user can excute; and then assigned SEELOGS, EDITCONFIGS and RESTARTNGINX privilages to DEVELOPERS. If you want users to be prompted for password you can remove the “NOPASSWD:” part.

Please note that depends on your OS you may need to add the user in “/etc/ssh/sshd_config” … for example “AllowUsers jack”.

Two Factor Authentication with SSHD

The default authentication method for Amazon EC2 instances is public-key authentication. This is the config for adding password authentication alongside the public-key authentication:

sudo vi /etc/ssh/sshd_config
AuthenticationMethods publickey,password
PasswordAuthentication yes
ChallengeResponseAuthentication yes
sudo passwd ec2-user
sudo service sshd restart