Defining Chaos In Order

Ever heard of MetaData? Wikipedia describes it best:

Metadata (meta data, or sometimes metainformation) is “data about data”, of any sort in any media.

So I hear you thinking: who cares? Well, for starters: you should.

MetaData contains a lot more information than “data about data”. Documents such as .PDF, .DOC, .XLS, .PPT, … contain information such as

• Revision history of files (in case of Word documents)
• Usernames of the person creating/editing the file
• Paths to where the file was/is located
• Software version used (Word 5.0, Word 10.0, …)
• Public network shares
• …

If you’re still saying “so what?“, ask yourself the following question: should this data really be public? Should everyone really know my username to my computer? Or everyone who contributed to a certain file? Or where I saved it, and what software I used?

If I were a malicious person, I could use that information for a targetted attack: I can send you a phishing e-mail, with the name of some of your colleagues in it, or one of those names as the FROM-address, so it looks legitimate. I could use that software version number to attach a very specific software exploit, so I can gain control over your system. I can use your username to brute-force your password.

See a trend there? The MetaData is giving out a lot of info that can be abused, and there are plenty of ways to get it. Consider our good friend Google for a second, they have some very nifty filters you can use in order to search efficiently. Ever searched for the string “site:microsoft.com filetype:doc“? It gives you a list of all .DOC files, found on the microsoft.com site.

Guess what information is in those files?

Revision info, for everyone who worked on a file:

revision history – Revision #7: Author ‘benjaxxx’ worked on ”
revision history – Revision #6: Author ‘waly xxx’ worked on ”
revision history – Revision #5: Author ‘Steve xxx’ worked on ”
revision history – Revision #4: Author ‘waly xxx’ worked on ”
revision history – Revision #3: Author ‘waly xxx’ worked on ”
revision history – Revision #2: Author ‘waly xxx’ worked on ”
revision history – Revision #1: Author ‘waly xxx’ worked on ”
revision history – Revision #0: Author ‘waly xxx’ worked on ”

Paths used in that computer:

H:\SQL\SQL70_sp2\Langs\Spanish\updated_Readme_Localised\test\
\\MULTIMED-SERVER\WWWROOT\Peru\ftpfiles\
C:\WINDOWS\TEMP\
\\Dolphin\adcu\IDEAS\

And the list goes on!

By using publicly available information, I can get enough information to get an idea of the internal layout of a company. And I haven’t even set foot inside it yet. Tools such as Metagoofil simplify the act of getting this information, by searching Google for you – and extracting the metadata.

H:\SQL\SQL70_sp2\Langs\Spanish\updated_Readme_Localised\test\
\\MULTIMED-SERVER\WWWROOT\Peru\ftpfiles\
C:\WINDOWS\TEMP\
\\Dolphin\adcu\IDEAS\

Matti Security information, metadata, Privacy, risk, Security

*Edit: It’s a false alarm. The CSS files that were included belonged to Facebook, but apparantly the domain they reside on (fbcdn.net) got tagged as “Phishing Site”. The notifications are gone from FireFox & Google’s Chrome.

It seems as if Facebook has been compromised, and is serving several .CSS files that have been identified as “Phishing Sites“.

Google Chrome users will see a message, similar to this one (but probably in their own language).

Facebook Phishing

There seems to be some malicious javascript code on the homepage, as well as several very weird .CSS includes (carefull when you try to load these!).

<link type=”text/css” rel=”stylesheet” href=”http://static.ak.fbcdn.net/rsrc.php/< INSERT RANDOM GIBBERISH CODE HERE>.css” /> 

The .CSS files are loaded from a static website: http://static.ak.fbcdn.net/
The main domain,  http://fbcdn.net/, is already reported. Both links will alert FireFox & Chrome users of the Phishing Site.

If you want to see the source code, I suggest you browse to Facebook with Google’s Chrome, and upon seeing the message shown above click on the shortcut “CTRL + U” (View Source). This trick doesn’t work in FireFox.

Matti Security facebook, phishing, Security

You can reset an “admin”-account password in Plesk, but only if you have root-access to the specific server. Once you do, you can easily change the admin password to anything you desire – all though the password should be 5 to 16 characters long, and may not exceed that length.

If the reason of the reset is because you’ve lost your password, there’s an easier trick too – the admin-account password is stored in plain text on the server (don’t ask why …), and can easily be retrieved. Read more…

Matti Plesk admin, hack, password, Plesk, reset, Security

Here’s an awesome animated gif that’ll show you how to bypass the security system on a Windows ‘98. How easy can it be? This would’ve been worth gold back in ‘98! Read more…

Matti Security 98, breach, hack, Security, Windows

Here’s a quick list of some of the better tools available for doing network/host penetration testing. Most of these tools require a Linux-based OS, some have a Windows version.

These programs range from basic utilities, to entire frameworks and live CDs. Read more…

Matti Security hacking, linux, Security, vulnerabilities

Just about every (web)application being built uses just one SQL user to do all its queries. This SQL user usually has all privileges to read data from the database, as well as perform UPDATE, INSERT & DELETE queries.

Wouldn’t it be a good idea to use a separate SQL user with only SELECT privileges to perform all your data-retrieval (= most common) queries? This read-only user could greatly increase the security in your application, too. Read more…

Matti Webdevelopment injection, secure, Security, sql

It’s one thing to detect evil processes running on a linux system, it’s quite another to detect them when they’re hidden from the system itself. A rootkit does just that. It runs one, or several, processes and hides them from the system so they become undetectable.

I’ve recently shared how to detect bad processes if they’re not hidden on a Linux system, but how do you go about discovering processes that are inherently hidden to you, on a windows device? Read more…

Matti Windows hack, hidden processes, procl, rootkit, Security, Windows

No matter how long you’ve been programming or scripting, once in a while you’ll catch yourself making a serious (security) flaw that you thought you’d never make, because you “have the experience“. Some of the most basic things a programmer should think of, but often forgets – because after all, we have to think of *a lot* of best-practice situations. Read more…

Matti PHP flaws, PHP, Security