What is OAuth? OAuth is an authentication and authorisation protocol, originally developed for web applications, born inside Twitter in 2006. It enables third-party software to do something on your behalf, for a limited time and without giving that software full, permanent access to reserved information. The most common analogy is valet keys. Let’s delve a little deeper and find out more about OAuth. Q: So, valet keys. You mean those keys normally handed to parking attendants at hotels? A: Yes. Those keys make it possible to open, start and drive your car, but only for a very short trip and without opening the trunk. OAuth works like a valet key for your data. It gives temporary and restricted access to something that’s yours, without giving away full control. Q: Now, I understand what you mean but… is this a real world problem? A: It became one when online services and social networks in all their forms, from Twitter and Flickr to remote banking, became not only ubiquitous, but inter-connected – they’re much more useful when you can make them work together. Q: You refer to cases such as publishing a Flickr gallery on Facebook. A: Yes, exactly. Being able to do that without re-entering everything manually is great. However, doing it without something like OAuth may mean giving those sites full access to all of your stuff (such as files, contact lists or full access to services). Q: So that’s why you talked about both authentication and authorisation? A: Correct. Authentication means having a way to prove that you are really you. Please note that, in general, it makes no difference if ‘you’ is a human being or a software program. Whereas authorisation is a separate, equally necessary service. If a person or software program has already proved to Facebook who they are, this doesn’t mean that they have permission to update our status as if they were us. Q: Couldn’t OpenID have been used for this? A: OpenID only deals with authentication. OAuth, instead, helps in all those cases in which (using OAuth terminology) some software (client) that would like to access data on behalf of whoever has the right to authorise such access (resource owner) is completely separate from, and unknown to, the software or service that actually stores those resources. Q: Wait a second! Something like this was possible years before OAuth! A: Yes, but in most cases it meant either using only one account of a network of already co-operating websites, or giving to at least one of them your usernames and passwords on all the others. OAuth attempts to close this security hole. Q: You mean authorising access to what’s inside a web account without giving out my password and username? A: Let's assume that you made a comment on some blog, and want that blog to post it on Twitter on your behalf, to save typing. When you tell the blog software to do this (for example by clicking a button), it will send a request to Twitter, that includes an identification key and the list of data or services it'd like to access on your behalf. Twitter (not the blog!) will present you a custom authorisation web form hosted on its server. If you log in successfully on Twitter and answer “yes” to that request, you'll have authorised Twitter to satisfy the request of that blog. Without handing over your password and username. Q: Cool! Then what? A: Twitter will tell your browser to go back to the blog, but with a special URL that includes an ‘access token’ or single-use authorisation key. At that point the blog software will be able to present that token to Twitter, as proof that it is the one that just got your permission to do something to, or with, your account. Q: And this will work with every OAuth compatible website, not just Twitter? A: That’s correct. As long as those websites don’t reject the initial request, of course. Besides convenience for the end user, another powerful driver for OAuth was the wish to make life harder for spambots and other malicious applications. Q: How would OAuth do that? A: Regardless of user authorisation, a software program can work as described only if it has permission to do so from the website it wants to access. OAuth accomplishes this by using several identification keys, or credentials, in parallel. Q: What are these credentials and who issues them? A: The one we’ve already mentioned, those used to declare that access from some program is allowed without giving your password to it, are called token credentials. Before getting to that point, however, the client must have sent to the server its valid client credentials. In general, they’re issued by the web server itself. When the developers of some software want to add OAuth capabilities to it, they register with the server to obtain such credentials, or keys. This makes it a bit easier to stop some malware, but also broke lots of existing programs. Q: You keep speaking of websites. Does this mean that OAuth is unusable by desktop software? A: Now that’s a trick question. Technically, there is nothing in OAuth that prevents clients from being traditional desktop applications running inside your computer. In practice, doing it (at least with OAuth 1.0) either makes life harder for good faith developers, or the whole client credentials concept almost useless. Especially when using open source software. Q: Argh! Now that’s bad, but why? A: Because the scheme I described works perfectly when the client credentials are embedded in source code and/or compiled programs that only run inside some web server, where nobody can read said credentials in the source code or, using hex editors and similar tools, in executable files. Q: Is this why the problem is even bigger with open source desktop software? A: Precisely. If you put something that’s supposed to stay private in some source code that everybody has the right to download and study… it’s not private by definition, is it? Q: Sure, but this only makes the scheme less useful. Why did you also say that OAuth breaks existing software? A: Because before OAuth 1.0, anybody with a basic knowledge of shell scripting and cUrl (including yours truly!) could, in just a few minutes, wrap up a script that would automatically sign on in Twitter, to read a timeline or post a tweet. OAuth made this impossible without valid, registered client credentials. Even when getting those credentials takes much longer than writing the script in the first place! Q: Isn’t there any way to patch those scripts? A: Of course there is: just use one of the many software libraries that have already been registered. However, this still makes those scripts much more complicated to write and maintain than they used to be. Until OAuth 2.0 is released, at least. Q: You mean there’s a version 2.0 coming? When? A: The forecast, while we write, is that OAuth 2.0 should be completed by the end of 2011. Q: What’s new in OAuth 2.0? Will it solve these problems? A: It could. One of the most important changes is the addition or redefinition of several so-called ‘flows’ to obtain credentials in the most straightforward way, even in scenarios where clients are not web servers but, for example, software running on mobile devices. There’s also a cookie-based flow that should make it possible to resurrect the old cURL-based web automation scripts. There should also be several performance optimisations, because OAuth 1.0 doesn’t scale very well. Q: Where can I find out more? The official OAuth Introduction .
What tools do security professionals and hackers rely on? It’s a question whose answer changes as quickly as the online threat landscape, but there are some favourites in the current toolkit that never go out of fashion. Far from being major, comprehensive attack platforms, these utilities usually do one obscure thing quickly and reliably. Their developers simply keep updating them to add new facilities and, crucially, to make them easier to use. Some of these utilities are online, while others can be carried on a USB pen drive. The common factor is that they’re available to anyone. While every security researcher and hacker typically carries a small armoury of such tools, they have their own ways of using them to assess security or mount attacks. Dig services The first step in mounting an attack or securing an online information resource is to assess what is visible to others over the internet. For large organisations, more than just the mail and web servers will be visible. Sometimes this is a mistake on the part of the network administrator, but sometimes it’s done for misplaced expediency. However, both these reasons can lead to a full-scale exploit of the internal network. The best and safest way to assess what’s visible is to use a public Dig service. Dig stands for ‘Domain Information Groper’. Such services interrogate the global DNS system for details about a target. Using a Dig service, you can uncover several classes of information, including the local DNS servers, web servers and mail servers (mail exchangers in DNS speak). It’s sometimes also possible to uncover plenty of addresses of computers that really shouldn’t be online, but which someone has added to DNS in the mistaken belief that others won’t know they’re there. This goes against the maxim that ’security through obscurity is no security’. One such Dig service is provided here . To get started, enter the name of a domain (without the ‘www.’) and click the button marked ‘Dig’. Depending on how much information DNS holds about a domain, Dig’s output can be very comprehensive, and gives a good overview of the parts of a network that can be seen from the internet. The most important part of this information begins after the line containing the words ‘ANSWER SECTION’. This gives the fixed IP addresses of any internet-facing servers. For a website hosted by a third-party company, this will be the IP address of the shared server on which the site resides. You can focus the information returned by selecting the ‘Type’ dropdown menu. ‘Network addresses’ will return only the IP addresses of any server that can be contacted directly. You can also return only information about the mail exchangers and the domain’s authoritative DNS nameservers. Most Dig services let you try something called a zone transfer. This shouldn’t be possible these days, but back when network administrators were less focused on security than keeping internet connectivity going, zone transfers were possible from many DNS nameservers. A zone transfer is a transfer of authoritative domain information. It’s meant to occur only between nameservers, but poorly configured nameservers will let anyone request one. A zone transfer contains a long list of computers and their IP addresses, which, while not listed in DNS, have a direct connection to the internet and are vulnerable to attack. This information is ideal for hackers, who need to scan a range of IP addresses to build a list of targets without tripping any intrusion detection systems. NMap The next step is knowing which hosts are available on a network, and what ports they have open. The great granddaddy of port mappers is NMap. It’s grown into an essential tool for anyone interested in online security. NMap was originally a Linux command line tool, but it’s been ported to Windows and given a snazzy GUI front end called Zenmap. The underlying NMap has a huge number of command line options, but Zenmap makes it considerably easier to use. Get the Windows version here . The installer includes the WinPcap driver software that forms the special packets needed to probe the TCP/IP stacks of remote hosts, and gain information identifying the OS running on that host. Once installation is complete, run Zenap and the user interface should appear. Enter the IP address of a computer on your own network in the ‘Target’ box, and select ‘Quick scan’ on the ‘Profile’ menu. Click ‘Scan’. This produces an overview of which ports are open and listening on the target PC. This includes the MAC address of the target’s network card, which Zenmap uses to determine the manufacturer. This is the kind of information that a hacker will use to look up exploits that may grant him access or the ability to create mayhem due to bugs in the firmware on the network card. For a more comprehensive view of the machine, select ‘Intense scan, all TCP ports’ and click ‘Scan’. This fires a large number of packets at all 65535 ports on the target PC. It also interrogates the machine, revealing clues about its running OS. This information is vital in determining the next course of action to penetrate the system. One of Zenmap’s particularly useful features is the ability to scan an entire subnet for targets, which it then interrogates for details. Simply substitute the last number in the IP address for an asterisk (‘192.168.0.*’ for example). This is also a great way to see if anything has been connected to your network secretly. NBTEnum Once we know what targets are available to a hacker who has penetrated our defences and can see our network, the next task is to try to discover what facilities each machine offers for exploit. This is important because, even if the hacker can’t exploit them directly, they may well be able to interrogate them to produce much more useful information. NBTEnum, originally written by Reed Arvin, is a very old utility that is now difficult to find, but don’t let its age or obscurity fool you. NBTEnum can uncover shockingly large amounts of information from an unprotected Windows PC just by asking for it. You can currently download NBTEnum from the Packet Storm security website . Open the ZIP file and move the contents into a new folder. NBTEnum is a command line utility, so open a command prompt and navigate to its directory. To run enum, enter the command NBTEnum -q , substituting the address of a Windows PC on your network where appropriate. If the target accepts connection requests via its NetBIOS service, NBTEnum will create a web page detailing what this shockingly indiscrete service tells it. Open this in a browser and you should, at minimum, see that NBTEnum has enumerated the shares (if any) that the target says are available for remote mounting. If you know a username and password on the target computer, you can reveal a huge amount of information. Enter NBTEnum -s , making the necessary substitutions. NBTEnum generates more verbiage, but the resultant web page can offer masses of detail. NBTEnum can also recover the open shares, users and groups, whether accounts are enabled, their lockout threshold and on Windows 7, a full list of services including which ones are currently running. This is all still possible because so many people insist on having no password, one that is simply guessed, or one that is the same as their username. When I was a network security consultant, finding a network populated by targets running older versions of Windows usually meant a day running NBTEnum against them with a username of ‘Guest’ and no password. By default, the guest account was enabled and unprotected – perfect to shock network administrators into disabling such accounts. InSSIDer We live in an increasingly wireless world, but the nature of a wireless signal means the information it carries is broadcast over a wide area. There are a large number of tools that can be used to survey the local Wi-Fi landscape, but one of the best is the Windows port of InSSIDder 2 by Metageek. You can download InSSIDer here . When run, InSSIDer begins discovering and enumerating the Wi-Fi networks in range. The top half of the interface fills with details of the networks, including their security level. Those with ‘none’ are wide open for anyone to log in and look around. Those using the older WEP protection are potentially vulnerable to attack, because the algorithm has weaknesses that can be exploited. In the average neighbourhood, there could be as many as three dozen networks in range, some without any protection. InSSIDer’s also displays the Wi-Fi channel used by each router within range. Change yours to a channel not used in your area and you could see an improvement in overall data transfer speeds.
Those of you out there still using the Symantec product pcAnywhere, an application which allowed you to access your computer remotely in a relatively early version of “cloud” computing, should immediately cut it out.
Symantec has issued an announcement saying that the hacking and theft of several of their security products several years ago has [...]
O2 has published an apology over today’s data leak which showed user’s numbers were made available to all websites.
A simple site was set up to prove what information is sent when a page is accessed using a mobile browser, and O2 was shown to be revealing mobile numbers.
O2 has finally responded to the issue [...]
Many of us have a love-hate relationship with passwords. They’re great for dissuading youngsters from logging onto our machines and wreaking havoc with our files, but they’re just as likely to turn around and bite us. Forget an obscure, intricately crafted password and you’re in a world of pain. It’s true that all versions of Windows enable you to create password recovery discs, but what do you do if you find yourself locked out without that disc? There are several tools out there that can help you recover the forgotten password, and the best of the lot is Ophcrack. Its key utility reads the Security Accounts Manager (SAM) files in Windows – the files that keep user account passwords in LAN Manager (LM) or NT LAN Manager (NTLM) hash format. It uses pre-computed rainbow tables to recover the passwords. Security researcher Dr Philippe Oechslin developed the tables and the tool. Ophcrack Ophcrack is licensed under the GPL, and is available as a free download for Windows and Linux . To retrieve your password, you’ll need to boot into another OS installed on a separate disc or partition. We assume you know enough about your Bios to change your PC’s boot order. The best way to use Ophcrack is via its Live CD, which works if you don’t have a dual-boot PC, or have forgotten the login password for all installations. The Live CD is based on the minimalist SliTaz Linux distribution. You can either burn the Ophcrack ISO onto a CD, or use the YUMI Multiboot USB Creator to copy the ISO onto a USB drive. The Live CD is available in two flavours: one helps you crack Windows XP passwords, and the other targets Windows Vista installations. The two CDs package the same program, but with different rainbow tables, because Windows XP and Vista use different hashes to store passwords. Using the Live CD When you boot from the Ophcrack Live CD, you’ll get a bootscreen with several options. Usually, ‘Ophcrack graphic mode – automatic’ should work. Once the Live CD boots you into the SliTaz graphical environment, it automatically launches the graphical Ophcrack tool. It will list all the user accounts it has found on your computer under the User column, and attempt to recover their passwords. Unless your password is fairly complicated, contains lots of characters or you’re on a dated machine, the tool shouldn’t take long to crack your passwords. When it’s done, the passwords are listed in the NT Pwd column. If the password field corresponding to your user is empty, there is no password for that user. That’s all there is to it. Now all you have to do is note down the password for your users, reboot into Windows, and log in with your username and the newly found password. The automated password recovery procedure on the Ophcrack Live CD should suffice for most situations, but if it doesn’t, you can configure the program more comprehensively. Password cracking is a time consuming task, but you can speed up the process by asking Ophcrack to employ all the cores on your multi-core processor. To do this, switch to the Preferences tab in Ophcrack’s interface and set the number of threads to a figure one greater than the number of cores. For example, on a quad-core machine, set the number to ‘5′. Make sure you restart Ophcrack after changing this setting. Another way to speed things up, especially if your Windows installation has several users, is to delete any user accounts that you don’t need to recover the password for. Even if you’re the only user, Windows will have a couple of extra user accounts such as Guest and Administrator. Finally, you can increase your chances of cracking the passwords by installing additional tables. Depending on which Live CD you’ve downloaded, you’ll either have the XP Free Small or the Vista Free table. Get more tables You can download additional tables from Ophcrack’s website . Besides the aforementioned tables, only the 703MB XP Free Fast table is available for free. The others can be downloaded for a fee, and can be used to crack passwords that aren’t based on dictionary words, include special characters, German characters or numbers, and are of various lengths. Once downloaded, simply copy the tables inside the ‘Tables’ directory in the root of your USB drive. Ophcrack will pick them up automatically on startup. Although the Ophcrack Live CD will automatically detect users on the system it’s running on, it gives you the option to load the password hashes manually. This comes in handy when you’re running it on a dual-boot machine or a remote machine. The ‘Load’ hash button gives you several options to load the hash. The ‘Single hash’ option lets you specify the hash manually. With the ‘PWDUMP file’ option, you can import hashes created with a third-party tool such as fgdump . You can also manually point Ophcrack to the SAM file you’ve grabbed from a remote machine. The SAM file is in the ’system32/config’ directory. Offline NT Password and Registry Editor Depending on how complex the password is, there’s a remote possibility that Ophcrack might not be able to crack it. If you’ve been unable to discover your Windows password this way, you can always try resetting it with the Offline NT Password and Registry Editor , but be aware of the implications before you start. If you asked Windows to lock your files with your password during installation, resetting it will give you access you the installation, but the locked files won’t be recoverable. With the Offline NT Password and Registry Editor, you can reset the password for any version of Windows. It’s available as a 4MB live CD. When you boot from it, it will detect all the drives and partition on those drives that have valid Windows installations. The first step is to select the partition that houses the Windows installation whose password you need to reset. Windows 7 creates a small, bootable partition as well as the regular Windows partition that contains the OS files, so make sure you point to the larger of the two. Next, the tool asks you the location of the password registry. In most cases, the default path should work, unless you’ve tinkered with its location – in which case you should have a fair idea where this needs to point. After reading the password registry, the tool prints a list of users, and gives you the option to set a new password, wipe the password, enable/disable a user, or escalate their privileges to those of an admin. Make sure you write the changes to the registry before exiting the tool. Once you’re able to log back into your Windows installation, remember to change the password to something complex that you can still recall easily. How to create a Windows password-reset disc All versions of Windows let you create a password-reset disc using the Forgotten Password wizard. The exact steps for doing this vary somewhat depending on the version of Windows you’re running. In Windows XP, head to Control Panel and select User Accounts. In the Pick an Account to Change area, select your username, then under Related Tasks in the sidebar, click ‘Prevent a Forgotten Password’. This will launch the Forgotten Password wizard. In Windows Vista, head to User Accounts and Family Safety in Control Panel. Here, under User Accounts, you’ll find the Create a Password Reset Disc option. Follow the same route under Windows 7 to get to the Forgotten Password Wizard. In all versions of Windows, the wizard will ask you to insert the removable drive, prompt you for the current account password, and create the password-reset disc. You don’t need to create a disc every time you change your Windows password – it’ll work no matter how many times you’ve changed it. On the other hand, this means that your Windows installation can be compromised with ease if you ever lose the disc. Related Stories Tutorial: A beginner’s guide to Windows Live Mesh 2011