Man-in-the-Middle (MITM) Exploits; what they are and how to STOP them

Most of us defend our PCs, websites and servers with an increasing variety of “anti” tools; however it is equally important to understand how or where an assault comes from. So when personally considering your own PC or Internet security this takes a proactive offensive view “I can do something to STOP…” rather than a passive “hiding in the bunker ” defensive position. The best form of defense is offence?

The main route for many web site hacks, defacement, and denial of service (DDoS) attacks is Man-in-the-Middle (MITM) exploits. It is a very easy concept to understand for all of us; consider an unknown person is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised. It has a very techie background for those who want to know more – check out Wikipedia for the background or definitions. Here I will solely deal with a pragmatic approach of what you can do to STOP any MTIM.

Firstly a healthy element of paranoia helps, consider from the PC you are reading this article with, what possible connections are there? Home or office network, local ISP, regional backbone routers, international re-routers, DNS servers, server farms, ad networks, web site host, and finally the web site, MITM could be lurking inside anyone of these connections, points or nodes, and as we know so well at StopBadware, within a script on a web site. Worried? Don’t be; just assume the MITM is there, you have the all the solutions at hand and mostly free. The answer is in the technical background “cryptography”, i.e. encryption, passwords, Chmod (website file permissions), and CAPTCHA (establishing the user is a human). Action checklist for all:

Email: use a digital ID or certificate (low cost), PGP encryption (pretty good privacy – free), and as a surprise for sensitive email I now use and recommend Gmail with HTTPS, less connections! All this STOPS any MITM from being able to read your emails.

Web Surfing: Only access online shops or other personal ID sensitive areas where there is HTTPS (SLL), look at the web address, use secure and change your passwords regularly. If you really want to be in control use Firefox with added extras e.g. No-Script (STOPS any script, unless you say OK), Key Scrambler (encrypts any login or password entry STOPS keyloggers), set your privacy options to accept any cookie (STOPS unwanted and bad cookies from being stored on your PC), even consider using PHproxy (this STOPS a web site from even gaining your real IP address).

Webmasters: Only use FTPS to transfer files between your web site and the PC (this STOPS any MITM from intercepting data), use Chmod to restrict access to files, encrypt file directories where you can, apply different passwords to access cPanel, phpMyAdmin, use CAPTCHA for user logins and apply SSL for user data areas (these actions STOP any MTIM from gaining access to your files.

Blocking: Probably the best offensive action you can take, think of it like this “your PC is your home your website is your shop, club, bar, you have the total right to bar entrance to hooligans or thieves”. It is much easier to refuse entrance than to try and throw the unwanted visitor out. For example use OpenDNS on your router it is free, automatically STOPS phishing sites and many other blocking options. Use banning lists on cPanel, ban spammers on your forum, or ask your host for help.

Finally refuse to be a victim and hide in the bunker, STOP the MTIM you actually have all the tools at hand. But…. what if a MITM is already hiding inside before you go on the offensive? Check and clean your PC of any BadWare; for the webmaster does your webhost also host any bad guys? Easy to determine, check the latest block lists on the web.

Cost of Cyber crime = $105 billion?

A great deal of press concerning the CEO of McAfee statement, DeWalt said, "...... that cyber-crime has become a US$105 billion business that now surpasses the value of the illegal drug trade worldwide." In a follow up comment in McAfee's blog Lies, Damn Lies and Statistics trying to stress the input came from Reuters and here for CNN, based upon the Government Accountability Office recognized this in its June 2007 report.

However, DeWalt was right from the perspective ".....clearly, placing a value on the size of the cybercrime economy is a real challenge."

As an example the recent VeriSign / iDefense analysis on the Russian Business Network (RBN) showed - see: The Economist article - just for one venture, Rock Phish, they netted $150 million in one year. As an example the RBN’s network, its affiliates, “free-hosting” sites, and associated businesses, the overall dollar value is much more substantial.

However, the RBN is one of the most obvious for quantification. If one was to include malware, spyware, spam, and general BadWare, which most end users who have been victims would definitely call - cyber-crime -. Therefore the $105 billion quoted is an underestimate?

Injection hack detection method - PHP Code

A good working Injection hack detection method provided by Ez via StopBadWare Forum

The script is brutally simple because we needed a quick fix. If the hacks recur I will make it smarter. Its only purpose is to tell me if a critical file (such as index.php) has changed size. I assume that injection hacks change the file size, as they did on our site.

A smarter script would compare file mod times with a database record. This would require a more complex script because it would have to store legitimate mod timestamps and depend on a human (unless more complex still, including the IP or http login etc.).

Operating scenario --

1.) Hacker injects code, increasing the file size.

2.) Next request to serve the home page (or other page of your choice) triggers the detector, which compares current file size with that for archived original.

3.) Detector sends email with file mod timestamp to webmaster.

4.) Script replaces hacked file with copy of an archived original, exits.

The webmaster needs to keep track of the most recent authorized file modifications (presumably by the webmaster). The email includes the timestamp of the over-size file's mod time. The system admin (or tech
support) uses this timestamp to trace the hack through the server log and identify the mode of entry.

To get fancier, you could scan all files in a directory for the mod time (example, using the PHP filemtime() function), comparing with a database record of legitimate mod timestamps.

Anyhow, here's the index file size script. I keep utility functions in a separate file named "func.inc" so it needs to load first. But this isn't necessary. Then the function compares the size of the file that usually gets hacked (such as index.php) and compares it with a reference copy (x_index.php) in a secure directory ("refz"). Of course, you can also loop through a list of filenames that are popular hack targets. The function can return the file write result, but I don't use it.

/* top of index.php, after DOCTYPE declaration */

function hackDet () {
$tst = "";
$gzt = "index.php";
$stat = stat($gzt);
$gzt2 = "refz/x_" . $gzt;
$rstat = stat($gzt2);
$ref = $rstat[size];
$rtim = $_SERVER['REQUEST_TIME'];
$rtim2 = date("F d Y H:i:s.", $rtim) . " Eastern";
$mtim = filemtime($gzt);
$mtim2 = date("F d Y H:i:s.", $mtim) . " Eastern";

if ($stat[size] <> $ref)
{
$fw = "index.php";
$hak = file_get_contents($fw);

$msg = "$gzt has $stat[size] bytes and not $ref as it should.\n\n";
$msg .= "FILE MOD TIME $mtim: $mtim2\n";
$msg .= "REQUEST_TIME $rtim: $rtim2\n\n";
$msg .= "=================\n\n";
$msg .= $hak;

$msg = wordwrap($msg, 70);
mail('yourn...@yourdomain.com', 'HACK ALERT', $msg);

$fr = "refz/x_index.php";
$str = file_get_contents($fr);
$tst = file_put_contents($fw, $str);
}
return $tst;

}

$tst = hackDet(); // calls the hack detection function
?>

China as an Internet Threat - The facts!

I really do find some of the current wave of rhetoric about the threat to the internet from China really worrying, if not downright dangerous for international relations. I suppose it a good topic for poor technical journalism, to gain publication in US & European journals / web. Old adage; "Why let the facts spoil a good story"?

Ref: China leads Asia in malicious online activity - CNet News

Let me make my position clear, I am not Chinese and I do not live in China, however I do know a thing or two about internet security threats. Here are some facts for the readers who possibly might read the above article and take it as factual:



(a) As of Sept 20 07 the US is the clear leader in known Spam issues, by 5:1 over China (ref Spamhaus.org).



(b) The internet is global and any quantitative analysis must base itself on comparative users. Reasonable estimates now show about 2:1 of Chinese internet user access over US users and anywhere from 5 to 20:1 over other Asian countries. Based on this on any Spam or malware distributor estimation this would place China about tenth on any list on countries, and well down the list in Asia.



(c) In China there are severe legal penalties for such acts, recently Yahoo could distribute malware to 15 million of its users and hardly gets a technical press mention, and no legal sanction.



(d) Why you may ask am I so concerned? On a recent exploit tracking exercise, despite apparent Chinese language sites being the cause. These sites were actually based and funded out of Toronto with bullet proof servers out of San Francisco!



Remember it is just as easy to get a free mail.cn / low cost Chinese based hosting, or mail.ru for that matter, being based in the US. As it is to get a Hotmail or Yahoo hosting account.

iFrame Injection Source?

Sources for iFrame injection?


Try this one as a site and a "major" source, which is so blatant it is mind boggling, and truly worth "outing". Those webmasters who have been flagged and have battled against iFrame injection, here is one of the major sources, try blaming these guys as opposed to Google / StopBadWare. Luckily a few of us have just recently been able to get McAfee's Site Advisor to blacklist them (Red X).


iFrameDollars (dot) com - http://www.siteadvisor.com/sites/iframedollars.com - Just so you knwo they pay webmasters / smaller hosts to inject iFrame exploits on other websites!!!!


To cover this here is a email sent to their US based host - still unanswered! - Please help by contacting them.

To "Layered Technologies" Abuse Team - you can contact them on Phone: 1-866-584-6784, General Information: info@layeredtech.com, Sales Information: sales@layeredtech.com


-------------------------------------------------------
Hi,

Checking your acceptable use policy, how come you allow iFramedollars com to have dedicated serving or any hosting at all?

Do you have any idea what they actually do? Check out their web site or even better check out their business model as they still call it iFrame Cash as their earlier form iFrameDollars biz; try:

ISC Sans = iframeDOLLARS; Cyber Extortion,

Spamhaus = http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7615

http://sunbeltblog.blogspot.com/2006/06/those-nice-dear-boys-at-iframecash.html

and many many more......

Please note the registrant info etc., exactly the same on 72.36.199.58 as within the Rokso lasso, even more obvious is the web site still states iFrame Cash & iFrame biz, and the same iFrame exploit "affiliate" model.

As someone who helps out on website clean ups, they currently claim 300 webmasters who essentially are injecting and spreading iFrame exploits for cash.

I am certain StopBadWare, Spamhaus, ISC Sans, FBI, etc., etc. will only be too surprised to now learn the RBN's (Russian Business Network) so called "bullet-proof hosting" is actually based within the US at layeredtech (dot) com.

I look forward to your reply.
-----------------------------------------------------



As mentioned, no reply to 5 emails, maybe we all should enquire of layeredtech.com we could make the difference?


Here are a few questions and points:

(1) Can StopBadWare / Google do anything about this flagrant abuse of the webmaster community?


(2) Here is the clearest example of the need for a public blacklist list of "professional" Badware distributors (thanks to Site Advisor, but how about here)?


(3) We sometimes rightly debate about Twinky, Zango, etc., how about deliberately distributing iFrame exploits for $$$ as an affiliate, any one prepared to defend this?


(4) Who would also like to know who the 300+ host / webmaster affiliates (BadWare distributors) are of "iframe Cash"?


(5) Just so you know, after you have been flagged by Google, lost business, and spent sleepless nights trying to fix your web site, and keep it clean; the FrameCash affiliates get about $1.50 for your site , as long as they produce a minimum of 50 sites per month!!!


I told you mind boggling!

Searching for Evil - InfoSec

I have to say this was one of the best presentations I have seen related to the wider issues of InfoSec.


ABSTRACT

Computer security has recently imported a lot of ideas from economics, psychology and ... all » sociology, leading to fresh insights and new tools. I will describe one thread of research that draws together techniques from fields as diverse as signals intelligence and sociology to search for artificial communities.

Evildoers online divide roughly into two categories - those who don't want their websites to be found, such as phishermen, and those who do. The latter category runs from fake escrow sites through dodgy stores to postmodern Ponzi schemes. A few of them buy ads, but many set up fake communities in the hope of having victims driven to their sites for free. How can these reputation thieves be detected?

Some of our work in security economics and social networking may give an insight into the practical effects of network topology. These tie up in various ways with traffic analysis, long used by the signals intelligence agencies which trawl the airwaves and networks looking for interesting targets. I'll describe a number of dubious business enterprises we've unearthed. Recent advances in algorithms, such as Newman's modularity matrix, have increased the robustness of covert community detection. But much scope remains for wrongdoers to hide themselves better as they become topologically aware; we can expect attack and defence to go through several rounds of coevolution. I'll therefore end up by talking about some strategic issues, such as the extent to which search engines and other service providers could, or should, share information in the interests of wickedness detection.

Speaker: Ross Anderson Ross Anderson is one of the top security researchers in the world.

Rebecca the Webmaster - A StopBadWare Case Study: Practical Guide for Webmasters (1 of 3)

Don't panic!!!" - Rebecca the Webmaster - A StopBadWare Case Study: Practical Guide for Webmasters– descriptions of tools we used. (Part 1 of 3) - In-depth analysis of problems and issues (Part 2 of 3), - Avoiding problems in > the future (Part 3 of 3)

This is the requested follow up from “Rebecca the Webmaster - this is my story, no tears, no glory.” Here we describe the problem solving methodology, analysis, tools used, web code issues, and steps taken to avoid problems in the future. The “we” are Rebecca a newbie webmaster with the guidance of El Jart, also we made sure that although Jart started with his “geek” tools (which I could not even understand the names of), we made sure anything we used was available to all and “free” – no commercials. Remember if I can learn to do this anyone can.

Introduction
First of all let us stress the obvious; regular checks of the tools available to virtually all webmasters are the way to avoid being flagged by Google in the first place, see how to avoid problems below. However, remember even the best web sites get hacked or compromised, for example AOL or MSN, so the most important advice from The Hitchhiker’s Guide to the Galaxy “Don’t Panic!!!”

The Tools
Just a word of caution, the tools below worked for us, however do get the help of your web host and only do this work if you have a PC with a really good anti-virus, anti-spyware etc. The stuff you are trying to clean up can bite; also make sure your PC is clean in the first place!

1. Server access – I know it sounds obvious but to start with as the site webmaster I realized I did not have full access or know what tools were available. So check this first, if you use CPanel or similar many of the tools to clean up and check are there e.g. http://www.cpanel.net/docs/cpanel/

2. Firefox and add ons – As the webmaster you have to be able to look at the site and check what is called. What we mean by this is the “scripts”, for example you may use a simple Ad or banner, what is actually called by your web site, e.g. the “inline scripts”, “cookies” etc. Just a note for end users if you surf with Firefox and these add ons https://addons.mozilla.org/en-US/firefox/browse/type:1 your surfing is a lot safer, it is then up to you if you want to accept scripts, cookies or other downloads.

a. Firefox – ensure latest version (set for no-popups and cookies to manually accept)
b. Google toolbar (add on) – this helps to search the web for any terms or third party web addresses, but for me if you search “define:sql injection” you can get any description to help you or use “site:anywebsite.com” “inurl:anywebsite.com” “cache:anywebsite.com” you see a lot more about any web site, including your own.
c. McAfee Site Advisor (add on)– Just to check out any web address you come across, especially on any spam or script.
d. No-Script (add on) – this is great because when used you can look at a web sites but any script on the web site is disabled.
e. PhProxy (add on) – Using this you can go to any website without using your real IP address, however this is for the first safe look, you have to switch this off when you look at “inline scripts”
f. Edit Cookies (add on) – Now you can see any cookies, before you accept them
g. DOM Inspector (add on) – Lets you inspect a web window and its contents.
h. Safe cache (add on) – Prevents any cache based privacy attacks.
i. Key scrambler (add on) – This encrypts any passwords you type on your PC for websites; just in case there are keyloggers in action.
j. Web developer (add on) – This lets you check the actual scripts called, in other words not what you think is on your website, but what the user actually gets.

3. Notepad ++ - This is an Open Source text editor, using this you can capture or download text, HTML, scripts, server log files, SQL, and save for later examination.

4. SmartFTP – There are several around this is the one we used, simply because you can use it in a secure mode and set / reset file permissions, so you help being attacked again.

5. Windiff – A free utility so you can compare directories that you FTP as a backup from your website to your PC and even individual files.

6. On the server (assumes PHP & MySQL);

a. Server Log files – just use your secure FTP to download and check in your text editor
b. PHPmyAdmin – now this is daunting at first but a bit of reading http://www.phpmyadmin.net/home_page/docs.php soon help to master this, in our case this was vital to down load and backup the website databases. This is where we found most of the problems that could have re-infected / re-hijacked us.
c. PhpBB – forum tools http://www.phpbb.com/community/ lots of help here.

7. Common sense – Maybe the most important webmaster tool as Jart kept on stressing, what should be within the website; its scripts, files, on the forums, within the SQL databases, etc. If you see a call to some website you do not recognize check it out. If some script is calling to download a special multi-media application, is it the real one? If some website / bot is coming to your site (on the server log files) every 10 seconds, why is it coming? What is its purpose or even more important what is calling it? Simple really.

1 of 3