FTP Saved Passwords threat

filezilla screenshot
FileZilla : http://filezilla-project.org

Introduction

This is a short post to warn about the dangers of saved passwords in popular FTP Clients. Saved passwords, in most open source software, are a threat since any encryption technique will not protect this sensitive type of data since the source is released to the public and reversing the encryption methodologies renders unproblematic.

The Gumblar botnet

What is known as Gumblar or Troj/JSRedir-R is a malicious threat which comes from PDF documents. Gumblar redirects visitors to a variety of websites containing other malware. The process of infection is undetectable, since the infected PDF is opened by the Adobe Acrobat’s plugin in the browser or by Adobe Acrobat itself, which, then, allows Gumblar to look for the saved passwords files, stored by FTP clients such as FileZilla or Dreamweaver, which are in plain text (either in XML format or other files).

It then connects to the FTP servers and modifies every HTML, JavaScript, XML, CSS file online by appending a JavaScript redirection to a malicious website in order to infect further victims.

Gumblar also sniffs network traffic for FTP passwords as well. (Further Gumblar information is not described in this post).

FileZilla case

The location of the password files varies depending on the operating system. However on windows for example it’s stored in the directory:

%APPDATA%/FileZilla

A sample screenshot of one of the files containing unprotected passwords can be found below:

sitemanager-xml FileZilla
sitemanager-xml File

WinSCP is it a good replacement?

When thinking about a solution for this problem, there is no straight forward method. Furthermore using another FTP client is not the answer! WinSCP stores the saved passwords as registry keys, however it’s in plain text as well.

Conclusion

In case you were infected and Gumblar successfully connected to all your FTP servers and modified all your files (check the Gumblar botnet section above), you have to rollback all your HTML, Javascript, XML, CSS files to a previous clean version. In case you don’t have a previous version, well… A search and replace (via Regular Expressions) becomes your only solution (will not go into details of how to do this, maybe in future posts).

There is no fail-safe method of protecting this type of data, however following the steps below can help reduce the severity of this threat:

1.       Never store your FTP information in any FTP client.

2.       An alternative solution for storing FTP passwords can be found here (http://sww.co.nz/an-alternative-to-storing-passwords-in-filezilla-or-other-ftp-clients/). However use this solution at your responsibility. I have not tested this solution.

This post is in no way a recommendation against using FileZilla or any other FTP client, it is written to warn about the dangers of using stored FTP credentials.

The ethics of underground hacking training

Introduction

In a study of the ethics of hacking, I had the idea of discussing a controversial dilemma which has been argued for ages. However, in this paper I’m going to argue this concept from the perspective of hacking. Is it morally justifiable to learn the skills of hacking and train to use these skills underground for the purpose of becoming more experienced white hat hackers, in other words, ethical hackers?

underground hacking
Underground : “The Office” Credit goes to: jacobcharlesdietz  http://jacobcharlesdietz.deviantart.com/art/The-Office-129557298

Why train underground on real targets?

Before taking this article into the subsequent phase, I would like to obliterate the confusion regarding some of the terminology I use (and yes I am a big fan of introductions). Hacker, in this article, is used to designate a person who is an online security expert. Some theorists, professionals, book writers, or just writers like to use the term hacker as a reference for programmerscomputer specialistsengineers who work on extending the functionality of a physical or a non physical object to bypass its original purpose or to enhance and optimize its efficiency and performance. Well in a way, online security experts do the same thing. For in order to be a good hacker one must master the ins and outs of the platform heshe is intending to break into in order to successfully gain access and maintain it. However, the above takes an article by itself to discuss and currently I’m going to leap directly to the point.

Why do hackers need to experience an attack on a real target? The answer is simple. If one does not experience the rush behind committing a crime, the motivation for being a thief and the thrill of attaining the grand prize, one will never acquire neither the patience nor the creativity to do hisher task well.

corporate evil
Corporate : Credit to dynnad  http://dynnnad.deviantart.com /art/Corporate-Evil-109587580

The rush, motivation and thrill are the essence of any worthy of admiration hacking attempt. I’m being amoral here, I understand, but reality is not always morally just. Hackers portrayed by the media are considered criminals who take pleasure in destruction. Sorry to disappoint you, but most of the talented hackers do it for the sole purpose of education. You’d be surprised at how many successful breaking attempts occur on a daily basis without destruction of property, theft of material and disclosure of private data. However, it is indeed a fact, that many professional black hat hackers do it for personal profit, but this is not the core of my discussion.

Therefore, for the sake of clarification and not restriction, any certified ethical hacker, security consultant, software developer and IT specialist must learn how to break into a protected system with the risk of being caught. The ethical hacking process does include a black box break in attempt, which in short, provides the hacker the legal ground to engage in an attack at any given date, time, system, and use any method or skill to achieve success, whether via social engineering, using an arsenal of tools, or by identity theft, with no prior knowledge of the network infrastructure or system to be tested. While to my humble opinion this is the most efficient of the numerous ways, it is still incomplete without the correct mindset.

There are indeed other methods to use which might guarantee the system’s security, but the efficiency of all these methods rely on attaining the above thinking prerequisites.

Is it unethical to train underground?

As in any discussion of a philosophical theoryconcept, the validity of the conclusion is based on the strength of the premises. In addition the soundness of the conclusion, as important as it is, is not the subject at hand. Being with or against the following point of view is left to your reasoning.

morality and logic
Morality and Logic : Credit to crotafang     http://crotafang.deviantart.com/art/Morality-and-Logic-154492822

I would like to introduce an ethical theory called “Utilitarianism” and based on it I will try to draw a conclusion. Be advised that there are numerous ethical theories (Kantianism, Consequentialism, Deontology, etc…). My goal is shedding the light on the topic from an academic perspective and not drawing a firm, concrete hard conclusion.

Utilitarianism, in very simple words, is judging the moral worth of an act based on its consequences. The judgment follows a small set of rules which if respected will enable the portrayal of a, relatively, valid conclusion. The main aspect of a utilitarian act is to minimize the negative utility, such as personal gain, suffering, pain, personal satisfaction and maximizing the good utility such as generating more happiness.

Hence, logically, on one hand, underground hacking attempts on a potential target would cause pain and distress for a potential number of people. On the other hand, the experience gained from such attempts will be beneficial for a larger number of parties. Nevertheless, the amount of pain and distress for the attacked parties can be minimized to the bare minimum. To a point where the target might not even be knowledgeable of the breaking attempt, consequently no actual damage of property is caused. Of course many controversies will rise from what I’ve just said, but think about it, isn’t this type of reasoning similar to the meaning of sacrifice, wars, and many other world injustice induced each and every day?

Therefore, according to the argument above (as short as it is), undergoing an underground hacking training is indeed beneficial for a large amount of parties.

However, this article remains inconclusive and further discussion remains necessary.

Why Online Communities Matter

A little about the open-source initiative

the opensource logo
opensource initiative Logo

For those of you unfamiliar with this term or this philosophy, this is a small discussion of the concept. The software development production process varies between the “classic” commercial development model and the open-source model. The later relies on two essentially main principles which are collaborative and peer to peer development. Everything from the source code to documentation is publicly released for free where any other developer can upgrade, modify and debug the product’s latest release. Even using the code as part or as whole in other projects is permitted under conditions described in the license accompanying the release.

Licensing is “a great alternative to just releasing your work into the public domain or granting permissions on a case-by-case basis” according to Cameron Chapman. Since this topic takes rigorous discussion I will leave it to the author mentioned previously to disclose the different types of licensing as well as the pros and cons of each in her article “A Short Guide To Open-Source And Similar Licenses” released by Smashing Magazine.

Many famous projects are open-source such as Linux, Apache, PHP, Symbian (Mobile OS), WordPress, Drupal, ecommerce, Moodle, Mozilla Firefox and others. The advantages are numerous, and being an open-source fanatic my opinion is personal as it is far from being objective. However, I will focus on the benefits of peer to peer, collaborative development.

Software development companies rely solely on the experience of their team of developers. While some being highly talented and knowledgeable their work falls short when confronted by the combination of worldwide talents from different academic and cultural backgrounds, intelligence levels, experience, needs and methodologies of thought. One might wonder how such projects succeed if the work load is spread worldwide. Well, the alpha version of the application or work in general is done by the author. After the first release, if this application caught the attention of other developers they will initiate contact with the author, or sometimes without the need of contact, they will work on enhancing or extending the final product. In many situations the original author is not able to continue working on the project (for a multitude of reasons). Hence, any other individual can pick up the work of the previous contributors and continue producing future releases. However, some projects die out as people have lost interest in them andor their level of complexity requires much dedication which no one is ready to offer.

Open source projects are developed voluntarily! Some contributors rely on donations to keep the project ongoing; these donations are not for personal profit though, they are spent on the production costs (if existing) which the author along with contributors should not bare alone.

 

Communication

As you have probably wondered by now: how can these contributors communicate as some aspects of development require brain storming and discussions? The answer is easy: either via email or forums or through IRC networks. IRC stands for Internet Relay Chat. Projects such as Freenode have provided the developers with networks to which they can connect, join topic oriented channels and have random real-time discussions. This brings us to our focal topic: Why are communities important?

Communities and what they can offer

Online development communities are a valuable asset without which acquiring help regarding any projects becomes a tedious task. Have you imagined a place where you can ask for help and benefit from direct answers from a diversity of experienced users? This place exists. Many like to subscribe to forums and ask their questions there, but the process of discussing the topic takes a certain amount of time which some do not have. Thus a less time consuming solution should exist. And it does. Freenode!

Any individual with an IRC client such as (mIRC, xChat, irssi etc…) can connect to the network, join a channel and ask for help. Of course the individuals maintaining the networks and the channels are also volunteering their time, therefore patience and modesty are advised.

Now I will describe the process of connecting to the freenode network below.

Downloading an IRC client

1.       Irssi: http://www.irssi.org/download#binaries Download the binaries depending on your OS (available for almost all OSs).

2.       mIRC: http://www.mirc.com/get.html mIRC is restricted to windows users, however the versions available are compatible with Windows 2000/XP/Vista/7.

3.       xChat: http://xchat.org/ xChat is an open-source irc client, available for Windows and Fedora (GNU/Linux) Oss however the source code is released hence you can download and compile your own version of xChat.

After grabbing your copy, you can install and run it.

Next in the input bar you can type: /server irc.freenode.net 6667 to establish a connection to the server. /server is the client command which allows you to connect to a server, irc.freenode.net is the server name and 6667 is the port to connect to.

Once done you can join a channel such as #linux via typing: /join #linux

# is used before a channel name to depict that the characters for it are the channel name.

A demonstration of how to connect to freenode using irssi can be found in the screenshots below. Three small tips:

  • Some channels require you to register a username before joining to insure you are not a spam bot. You can have more information about this by typing: /msg nickserv help
  • Some servers do not require a port number for you to connect.
  • In irssi you have to press ALT+2 (3, 4, …,  or any number to change chat windows)
irssi server connect
Connect to a server
Nickserver help command
Nickservice help command
irssi join command
irssi Join Command

Stackoverflow.com

Another topic I wish to discuss is Q & A websites such as stackoverflow. Stackoverflow has become a self sustained community where you are free to ask questions, free to answer them and free to seek the knowledge.

The amazing aspect of stackoverflow resides in the fact that the community is not moderated by employees or voluntary developers dedicated to keep the site functional. No, it is maintained by developersprogrammers who once asked questions themselves and now have given a fair amount of valuable answers which gave them reputation. Reputation (through points) will allow members to moderate the website, edit information and provide model answers.

Stackoverflow has become a part of my life now. I contribute daily and answer as many questions as my experience allows. The members are extremely helpful and knowledgeable. No question is left with no answer unless, of course, the question is redundant.

Importance of being a part of a community

The benefits are numerous. However I will discuss a few:

1.       You will be exposed to topics you were not aware of before.

2.       You can answer questions you did not think you could have answered before.

3.       Helping other members can refresh your memory about a certain topic especially with regard to programming.

4.       Without even contributing and just by being a spectator you can learn from other members questions and answers.

5.       You can make important contacts and promote yourself in the development community.

I cannot go over all of the benefits as they are tremendous, but the above should motivate you enough to give it a try at least.

A lot of communities have established a presence over the Freenode network some of which are: #c, #c++, #linux, #ubuntu, #java, #javascript, #jquery, #wordpress, #drupal, #joomla etc…

Conclusion

A first step to being an open-source developer or contributor is being part of the community. Voluntary help is beneficial for many parties. The open-source initiative has been the ground block for countless successful projects which shaped the online world to what it is today.

Please leave your comments, as your feedback will allow me to write more efficiently in future blogposts. Kindly keep in mind that while I cannot discuss all aspects of the topics I believe I have compiled a small amount of knowledge to get you started. Just in case anything slipped out of my mind, please notify me via a comment or by email.

Thank you,

• Bassem

First Post: Processing language… w00t w00t!

Processing 1.2
Processing 1.2

I thought for quite a while about my first post, and instead of wasting useful space, I’ll cut right to the chase and talk about a fairly young language called Processing.

To be honest it’s not that young, it’s been around since 2001 (according to their website). However compared to other languages, it’s a new born.

According to processing.org

“Processing was Initially created to serve as a software sketchbook and to teach fundamentals of computer programming within a visual context, Processing quickly developed into a tool for creating finished professional work as well.”

I couldn’t agree more. Processing is a solid language with a very decent and user friendly interface that will allow you to visualize what was once an idea or a thought. It will provide you with all the tools to create advanced animations, algorithm visualizations and sick graphics. In addition, Processing comes with a set of libraries (OpenGL, Minim, PDF, Network, etc…) thus increasing extendability and convenience.

Not only they have a very comprehensive online reference, an active community, they also have many very well written books discussing the implementation of multiple algorithms with this language.

I have picked the best 3 to get you started:

  1. Getting Started with Processing : this a simple book discussing the basics that will get you started with processing. It’s written to be a basic guide for beginners. Many examples are discussed thoroughly and before you know it you’ll be doing your first simple animation.
  2. Processing: A Programming Handbook for Visual Designers and Artists : I fell in love with the complexity of this book. If you’re a beginner in programming, this book is not for you. The discussion of algorithms in this book is very thorough and enjoyable. “The majority of the book is divided into tutorial units discussing specific elements of software and how they relate to the arts.”
  3. Algorithms for Visual Design Using the Processing Language : This is my favorite one. I love it because it provides you with generic code and algorithms which you can use to experiment on your own. It provides you with the building blocks for your own code and gives you an insight on the best practices of visual programing.

It’s only been a week since I started experimenting with this very powerful language and so you don’t get bored I attached to this post some images of what I’ve came up with so far. Oh and have I told you that processing is open source? I will share the code for these examples in later posts. With these pictures below, I conclude my first post.

Thank you,

• Bassem

Note: Click on the thumbnails to enlarge.

Game of Life
Game of Life - John Conway

Processing function plotting
Sin() Cos() functions plotting
Elimination algorithm in processing
Elimination Algorithm implementation
Elastic-Collision algorithms
Elastic-Collision implementation