Tag: security

Large databreach, how to minimize online vulnerabilities, and improve responsetime

Last week I found a data breach in a large companies website, exposing over 2 million customer records (name, address, email, phone number)
It’s always a though choice, do I call it in and risk getting sued, or leave it? Since this was quite a big leak, which I more or less stumbled upon (think in the lines of ‘this looks odd, what happens if I try and change this’) , I just went ahead and stated my intensions very clearly in my messages, and hoped they would see it would benefit them to use my report, and fix the problem as soon as possible.

Large databreach, how to minimize online vulnerabilities, and improve responsetime

Last week I found a data breach in a large companies website, exposing over 2 million customer records (name, address, email, phone number)
It’s always a though choice, do I call it in and risk getting sued, or leave it? Since this was quite a big leak, which I more or less stumbled upon (think in the lines of ‘this looks odd, what happens if I try and change this’) , I just went ahead and stated my intensions very clearly in my messages, and hoped they would see it would benefit them to use my report, and fix the problem as soon as possible.

Gaining Root Access on Philips B120N Babycam

Update, I have a new philips babycam, and rooted it again, so I added some more info.

This is an older post, and after having contacted philips, they told me they had received a report of this issue months prior to my report. In the new firmware these problems don’t exist anymore, this doesn’t mean that the b120n is flaweless, because when you reset the babycam it reverts back to the old firmware, and you can root it.

I wanted to try rooting my B120N cam, and tried to follow Paul Prices Owning Philips In.Sight IP Cameras But unfortunately Philips decided to close all interesting ports in the firmware version my cam was running.

I did find a way to gain root access, and I wanted to add a recording of the process so you can try it yourself..

I setup my linux box as ‘router’ with mitmproxy and a hotspot, connecting my ethernet port and directing traffic trough hotspot -> mitmproxy -> internet
In short the steps you need to do:

  1. Install mitmproxy on your pc / notebook (plenty of good tutorials available online), to be able to capture traffic and alter responses
  2. Setup a hotspot, where you will connect your phone and camera
  3. connect your phone, run the insight app, and configure your cam / scan the qrcode
  4. Now your camera will connect to the wifi, once the insight app asks you if you want to ipgrade press i in mitmproxy and set the filter to .* to capture all traffic and halt on every request
  5. click yes on the upgrade prompt in the insight app
  6. press ‘a’ key to allow the requests per line, untill you reach the upgrade_fw.sh line (don’t press a on that line, we want to modify this request)
  7. hit enter on the upgrade_fw.sh and press ‘e’ to edit the request
  8. there will be an option to edit the url (I think it’s ‘u’) then point the request url to ‘http://yoururl.com/upgrade_fw.sh) where you set your own shellscript and ssh_config gile) and press enter, and hit ‘a’ to allow the request to complete.
  9. Your now have rootaccess to your camera.

    below you can find a sample upgrade_fw.sh and sshd_config you can use to complete the rooting.

For this setup I used mitmproxy to capture the traffic from the B120N when it was freshly connected to my wifi network.

When opening the mobile application I immediately got a message to update my cams firmware, when I hit update I saw multiple requests passing through:

Secure your app API

The past month I tested 3 web / mobile applications on security, and 2 of them really had some big issues. They were medium sized business apps, I have sent them detailed reports, and they have fixed the issues. I won’t discuss any further details about them, I will however list the problems I found, so you can avoid having the same problems, and keep your customer data secure.

SSH Key Authentication

If you are working with SSH a lot, it might be useful to generate a keypair, and setup the public key on your remote server, so you can easily login without needing to enter a password every time you connect.

Client config

A keypair consists of 2 files, by default they are located in ~/.ssh and are called:

  • id_rsa (private key, never give this to anyone, and never put in on any public location)
  • id_rsa.pub (public key, this key is meant to be configured on the server you would like to access)


Step 1. Generating a keypair with ssh-keygen:

If you don’t have a keypair yet, or want to generate a new one for this specific server, you should open terminal and enter: ssh-keygen and press enter.

ssh-keygen-1
Note: If you already have a keypair don’t use the default location, or it will replace your current private & public key

 

Enter the filename in which you would like to save the file, I’m using test for this demo purpose, press enter.

After this you will be prompted to add a passphrase, this is optional.

ssh-keygen-2

As you can see my test certificate has been generated.

Server config

In order to be able to connect to hour server without a password next time, we need to get the contents of the public key, and add it to the autorized_keys file on the server.

On your client terminal you can use cat to output the public key contents:

cat ~/.ssh/id_rsa.pub

Just copy and paste the output

Login to your server as you normally would (with your credentials) and paste the public key into ~/.ssh/authorized_keys if the file doesnt exist it will be created by calling
vim ~/.ssh/authorized_keys
or
nano ~/.ssh/authorized_keys
whatever you prefer 🙂

To doublecheck if your server config is setup correctly you can check the config file sshd_config with vim or nano (if you can’t find it use locate sshd_config)
the following lines should be present in the config file:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

If they are not you can add them at the bottom, and restart your sshd server with the following command:
/etc/init.d/sshd restart

 

Notes

  • If you used a different name for your public and private key (so not the default id_rsa) you will need to add an entry to your ~/.ssh/config so terminal knows which identity file to use for you server.
    an entry would look like:

    Host 127.0.0.1
    IdentityFile ~/.ssh/myidentityfile

    Note that you point to the private keyfile here.
  • If you are having trouble using your keys, make sure your private keyfile is readonly for you (chmod 600 ~/.ssh/id_rsa)

SSH Key Authentication

If you are working with SSH a lot, it might be useful to generate a keypair, and setup the public key on your remote server, so you can easily login without needing to enter a password every time you connect.

Client config

A keypair consists of 2 files, by default they are located in ~/.ssh and are called:

  • id_rsa (private key, never give this to anyone, and never put in on any public location)
  • id_rsa.pub (public key, this key is meant to be configured on the server you would like to access)


Step 1. Generating a keypair with ssh-keygen:

If you don’t have a keypair yet, or want to generate a new one for this specific server, you should open terminal and enter: ssh-keygen and press enter.

ssh-keygen-1
Note: If you already have a keypair don’t use the default location, or it will replace your current private & public key

 

Enter the filename in which you would like to save the file, I’m using test for this demo purpose, press enter.

After this you will be prompted to add a passphrase, this is optional.

ssh-keygen-2

As you can see my test certificate has been generated.

Server config

In order to be able to connect to hour server without a password next time, we need to get the contents of the public key, and add it to the autorized_keys file on the server.

On your client terminal you can use cat to output the public key contents:

cat ~/.ssh/id_rsa.pub

Just copy and paste the output

Login to your server as you normally would (with your credentials) and paste the public key into ~/.ssh/authorized_keys if the file doesnt exist it will be created by calling
vim ~/.ssh/authorized_keys
or
nano ~/.ssh/authorized_keys
whatever you prefer 🙂

To doublecheck if your server config is setup correctly you can check the config file sshd_config with vim or nano (if you can’t find it use locate sshd_config)
the following lines should be present in the config file:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

If they are not you can add them at the bottom, and restart your sshd server with the following command:
/etc/init.d/sshd restart

 

Notes

  • If you used a different name for your public and private key (so not the default id_rsa) you will need to add an entry to your ~/.ssh/config so terminal knows which identity file to use for you server.
    an entry would look like:

    Host 127.0.0.1
    IdentityFile ~/.ssh/myidentityfile

    Note that you point to the private keyfile here.
  • If you are having trouble using your keys, make sure your private keyfile is readonly for you (chmod 600 ~/.ssh/id_rsa)