Tuesday, August 27, 2013

Fun with Google Safe Browsing

You probably have encountered it, you want to go to a website and you get a red page to say that something is wrong with the site and malware has been found on it.

Google Safe Browsing is part of your standard Mozilla Firefox and Google Chrome browser. Google isn't the only one playing this game. Microsoft has its SmartScreen filter and most major AV-solutions have something similar.

This is all fun but what if you are interested as a website owner if you have been flagged? Well actually you can get this report. If you surf to http://www.google.com/safebrowsing/diagnostic?site= you get a nice overview of what was detected for that website.

An example:
http://www.google.com/safebrowsing/diagnostic?site=google.com

It tells me that for the domain google.com in the last 90 days 903341 pages got tested:

  • 484 drive-by-downloads
  • 252 trojans
  • 103 exploits
  • 46 scripting exploits
So as you see this has some value in risk management. Personally I use this technique for information gathering when doing incident handling. You can use it in a risk management to monitor your own website and those of who you do business with in a rather cheap way.

Another cool little trick is that you can get more information on an Autonomous System (AS). 

If you are the owner of the AS, like my current employer is the owner of the Belnet AS with the number 2611, Google has a nice little tool to generate alerts for your incident handlers

Some of us don't own AS systems. Thus I want to share with you one last toy for website owners. Enter "Fetch Like Google.  "Fetch like Google" allows you to fetch up to 500 URLs a week for the sites you own and can be very handy to figure out if the Googlebot still sees your website as infected.

Some people have trouble with https but I haven't had that experience personally. I found on this video on youtube which Google's answer to people having trouble. Basically it works for Google too.

Monday, August 19, 2013

Playing with Social Engineering at a music festival

It is summer in the Northern hemisphere of planet earth and this means that we have music festivals. Traditionally at the festival area you have two checkpoints, one for the entrance bracelet and one to inspect the backpacks for drinks.

The funny part is that people smuggle in drinks because it is kind of a challenge.  My theory was if the man that would check my backpack would find something he would be happy and stop looking through the rest of my backpack.

I packed my bag with 2 glass bottles of Belgian beer, put them inside my sweater and put all the rest of my bicycle gear in my backpack. The thing I had planted for the man to discover was a deodorant spray. When you just pad the backpack it feels kind of like a can of coke when you are unexperienced.

I stood in the queue and when it was my turn, I presented the backpack and opened it cooperatively. I showed that I had my gear like my helmet and everything what you need to bike in a city,  and the guy started padding the backpack. He found the deodorant and he asked me immediately what it was. Instead of answering him I opened up the backpack showed him the spray and he was happy with the answer.

I gave him a frame of "the guy on his bike" so the big backpack made sense.

As expected the man had a flow in his mind:
1. look into the bag, when no bottle visible goto 2 otherwise confiscate bottle
2. pad the bag, when nothing let through, when something ask question

The security problem was clearly in this last part, he knew he had to confront me with the fact that he had found something but when he was given an explanation that was different from "shit, bottle found". He was happy because he had the positive feeling he had done his job.

For your information, my friends and I still buy our beers at the festivals, but as I said before it is kind of a challenge to see if you can beat the system.

Monday, August 12, 2013

Inverse diff - repeated malicious javascript code

I was looking into some pages for malicious javascript and needed to figure out between all the instances we found online how many where basically the same malicious code and how many were unique.

If you have been playing with linux for a while you will probably have run into diff, a nice little command to figure out the differences between files. So what I actually needed is the opposite of the "classic" diff. After a little search online I found the syntax

 diff --unchanged-group-format=%= --new-group-format= --old-group-format= file1 file2

To make this a bit visual:
file1 contains:
123
abc
def
999

file2 contains:
123
def
ddd
lalala

and the output will be:
123
def