Security Weekly News 17 June 2011 – Full List

Category Index

Hacking Incidents / Cybercrime

 
Incident Analysis: Million Dollars Lost In A Minute  [carnal0wnage.attackresearch.com]
Dudes, I and two other fellows have dealt with an incident about a victim whose online banking account has been compromised and a huge lumpsum of money is transferred out to eastern europe. In fact, the victim is still using the old two-factor authentication token, it means we cannot identify the generated passcode is for authentication, money transfer to a specific account , bill payment, etc, attacker manipulates it indeed. The report could be found from here: http://goo.gl/FVFBO
Please enjoy it and feel free to share your views with me 😉
 
CIA website taken down by DDoS attack  [www.scmagazineuk.com]
The hacking group LulzSec has hit the US government for the second time in a week, taking down the website of the CIA.
A spokesperson told Reuters that its website was taken down, but that the group were prevented from accessing any sensitive data. According to the news agency, this attack was similar to the attack on the Senate in that hackers broke into the public site and downloaded information.
 
LulzSec rampages on.
They claimed they took out cia.gov for a couple of hours tonight, but its difficult to say whether they really did it or whether the site was made unavailable because of a large number of people trying to access it after seeing the ‘Tango down – cia.gov – for the lulz’ message on the group’s Twitter feed.
 
Apple has suffered another embarrassment. A security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians. They-and every other buyer of the cellular-enabled tablet-could be vulnerable to spam marketing and malicious hacking.
The breach, which comes just weeks after an Apple employee lost an iPhone prototype in a bar, exposed the most exclusive email list on the planet, a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm Emanuel’s information was compromised.
 
Citigroup Inc. (C: News ) said in a letter dated Wednesday that the hacking attack on its Citi Account Online, discovered on May 10, affected a total of about 360 thousand Citi-branded credit cards – corresponding to about 1 percent of the company’s North American accounts.
The company added that it had sent out notification letters to customers, and reissued more than 217 thousand credit cards, with other accounts either being closed or having recently-issued cards.
 
The SpyEye malware has been connected to a recently discovered attack on customers of two German travel services.
Security firm Trusteer said that it had uncovered versions of the malware attempting to pull data from infected machines on the sites of Air Berlin and AirPlus.
Classified as an HTML injection tool, SpyEye is able to intercept web pages on an infected system and add code into the HTML file before it is displayed to the site visitor.
Trusteer chief technology officer Amit Klein told V3.co.uk that AirPlus log-in pages were being altered to add input boxes requiring information such as credit card number. The information is then collected by the malware and sent to an upload server.
 
Now that we live in a world where everyone is going to get hacked at some point, it’s apparently Bioware’s turn. The company has released a statement detailing an attack and the amount of data that was stolen by the guilty parties. It’s not as bad as it could have been, but this is a disclosure no company wants to make.
The hacker gained access to a ‘decade-old’ community server that handled the Neverwinter Nights forum. ‘We have determined that no credit card data was compromised, nor did we ever have or store sensitive data like social security numbers,’ Aaryn Flynn, the Studio GM of BioWare Edmonton wrote on the official forum. ‘However hackers may have obtained information such as user account names and passwords, e-mail addresses, and birth dates of approximately 18,000 accounts-a very small percentage of total users.’
 
An NHS laptop containing the medical records of over eight million patients has gone missing from a storeroom at the North Central London Strategic Health Authority, in what could be one of the biggest data breaches of its kind.
The laptop went missing several weeks ago but has only just been reported to police, although it is still not known whether the machine was stolen or simply lost, according to The Sun.
 
FBI infiltrates US hacker scene  [www.h-online.com]
Quoting Eric Corley, the editor of hacker magazine 2600, the Guardian newspaper reports that an estimated one quarter of all US hackers and crackers are working as informants for the FBI. Corley says that cyber-criminals who get caught can easily be intimidated and coerced into cooperating by being threatened with long prison sentences.
 
UK credit reference and credit recovery agency creditsafe.co.uk took its site offline on Tuesday, as a precaution, following a hacking attack. The site remains offline at the time of writing on Wednesday afternoon.
Miscreants planted malicious code on Creditsafe Limited’s1 website. This code had the effect of redirecting surfers to a hacker controlled website that attempted to drop malware onto the PCs of surfers, likely using unlatched browser exploits or similar methods
 
Lulz Security’s request line features the voice of Pierre Dubois – possibly the name of its comic icon
Continue reading the main story
 
Hackers who stole the personal details of more than 200,000 Citigroup customers ‘broke in through the front door’ using an extremely simple technique.
It has been called ‘one of the most brazen bank hacking attacks’ in recent years.
And for the first time it has been revealed how the sophisticated cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories.
 
More than 30 people have been arrested in Spain and Turkey charged with hacking and being part of the Anonymous group.
Spanish police announced on Twitter that it had arrested ‘three leaders of the Anonymous group’ in Barcelona, Alicante and Almeria. According to police sources, the alleged Anonymous members were decision makers and were involved in recent attacks. Also, police agents have seized one of the servers used in many of the attacks in Gijon in northern Spain.
 
The International Monetary Fund has become the latest high-profile organization to fall victim to a network intrusion, according to various media reports, suffering a substantial breach, the full extent of which is not yet known.
Reporting the incident earlier today, The New York Times quoted an unnamed official as saying the breach was a ‘very major’ one and that it had been taking place over the last several months.
 
Codemasters Hacked, First Details  [www.rockpapershotgun.com]
Earlier in the week John noticed that all Codies websites were pointing at their Facebook pages. But why? Well, Codemasters have been hacked by miscreants. The British company has started contacting affected persons, and the details of that missive are posted below.
On Friday 3rd June, unauthorised entry was gained to our Codemasters.com website. As soon as the intrusion was detected, we immediately took codemasters.com and associated web services offline in order to prevent any further intrusion.

Unpatched vulnerabilities

 
In a post on the Fedora Project mailing list, developer Kevin Fenzi has reminded users that Fedora 13 ‘Rock it’ will reach its end of life (EOL) on 24 June 2011. From that date, no new updates, including security updates and critical fixes, will be available. The developers strongly advise all Fedora 13 users to upgrade to Fedora 14 or 15 to continue receiving updates.
 
Microsoft determines the support lifecycle of each of its products from the day that they are released: all products intended for private use are given five years of ‘mainstream support’, while products designed for enterprise use receive an additional five years of ‘extended support’; in practice, a product’s support lifecycle is always a few days or weeks longer. During the second phase, the only patches Microsoft will provide free of charge (at its download centre and via the Windows update function) are those which the it considers to be security related.

Software Updates

 
Overview of the June 2011 Microsoft patches and their status.
 
 
Multiple vulnerabilities have been reported in Adobe Shockwave Player, which can be exploited by malicious people to compromise a user’s system, according to Secunia.
 
 
 
 
Siemens has released a firmware update for its SIMATIC S7-1200 programmable logic controllers (PLC) which fixes a known vulnerability. According to a security advisory, the PLC was vulnerable to replay attacks, in which an attacker could record and subsequently resend network communications between the controller and programming or engineering software.
 
Mozilla releases SeaMonkey 2.1  [www.h-online.com]
Mozilla and the SeaMonkey Project developers have released version 2.1 of their ‘all-in-one internet application suite’. SeaMonkey, formerly known as the Mozilla Application Suite, is the successor to Netscape Communicator and includes a web browser with advanced email and newsgroup support, an IRC chat client and HTML editing support.
 
The theft of information pertaining to the security of RSA’s SecurID two-factor authentication system has had greater consequences than the company initially wanted to admit. Nearly 3 months after the attack, RSA has begun replacing some of the 40 million hardware tokens, as announced by RSA chairman Arthur W. Coviello in an open letter. Customers who are worried about the security of the tokens will have to request replacement tokens.
 
The VideoLAN project has announced the release of version 1.1.10 of its VLC media player, the free open source cross-platform multimedia player which supports a variety of audio and video formats. According to the developers, the eleventh release of the 1.1.x branch of VLC is a maintenance and security update that addresses several issues found in the previous update from mid-April.
 
The Python developers have released Python 2.6.7, as noted when Python 2.5.6 was released last week. Python 2.6 is in ‘security fix only’ mode until October 2013, with no new bug fixes or features to come; Python 2.6.7 saw three medium severity issues addressed. According to the Python 2.6.7 NEWS file, these were a vulnerability to XSS attacks in SimpleHTTPServer, a failure to follow redirections with file: schemes in urllib and urllib2 (CVE-2011-1521), and smtpd.py being vulnerable to DoS attacks due to missing error handling when accepting a new connection.
 
Update: Looks like the Security Onion 20110607 files haven’t fully replicated to all Sourceforge mirrors yet. If you’re having trouble downloading, please try later today.
Security Onion 20110607 is now available! New features in this release are as follows:
Sguil 0.8 (now with more shininess and anti-aliased fonts!)
Squert 0.8.3 (now with user authentication!)
new tcl/tk packages (resolves a scaling issue when running in VMWare and allows for the anti-aliased fonts mentioned above)
 
 
As noted this weekend in our post here, the Snort 2.9.1 beta has been released along with a new version of DAQ (0.6). The beta is available for download on our Snort-downloads site
 
Online Hash Generator  [www.insidepro.com]
 
Here is my NSE script to determine if a http web server is protected by a Web Application Firewall (WAF), Intrusion Detection System (IDS) or Intrusion Prevention System (IPS). I’d be great if I can get some feedback from users with access to other untested WAF/IDS/IPS products
 
I’ve been working on ‘porting’ my popular mbenum tool to Nmap.
MBenum queries the master browser for a list of servers using the NetServerEnum2 function.
In addition to a list of every server name in the domain the master browser keeps track of versions and services
running on each server.
 
It’s been a while since we last mentioned Skipfish, it was back in March 2010 when they first came out.
Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
 
Bro is a powerful network analysis framework that is much different from the typical IDS you may know.
 
After creating the WordPress Brute Force Tool last weekend, I decided to create a bigger project out of it, called WPScan.
WPScan is a black box WordPress Security Scanner written in Ruby which attempts to find known security weaknesses within WordPress installations. Its intended use it to be for security professionals or WordPress administrators to asses the security posture of their WordPress installations. The code base is Open Source and licensed under the GPLv3.
 
The Wireshark development team has announced the release of version 1.6.0 of its open source, cross-platform network protocol analyser. Wireshark 1.6.0 improves support for larger files (greater than 2 GB) and can now export SSL session keys and SMB objects. Users can save files with a user-specified group id via Dumpcap, and, similarly to text2pcap, Wireshark can now import text dumps. Version 1.6.0 includes options to display the compiled BPF code for capture filters in the Capture Options dialog

Business Case for Security

 
Val Smith: The fact that the time to push for security was 10 years (or more) ago and it is too late now. EVERYTHING is compromised. Most major software (including open source) has some form of backdoor. Most (if not all) large and important organizations are at a minimum currently targeted and more likely have already been penetrated for multiple years. This comes from my incident response experience. At this point prevention is out the window, detection has failed and we need to come up with what is possible to do next. In my opinion offense is the only real future left, and it’s a bleak one.
As far as what makes a good penetration test, it’s simple, figure out what real attackers do, and do that. Do attackers run nmap, then nessus/nexpose, then core/canvas/metasploit and simply try to root as large a list of boxes as possible? No, pretty much never.
Attackers send a targeted, well-crafted phishing email, beacon out on port 443, encrypt and exfiltrate data. Sometimes they laterally attack and sometimes they go after admin/domain controllers, but not always. Attackers use 0day. This is what pen testers should be doing…
 
Unfrozen Caveman Attacker  [1raindrop.typepad.com]
Clarke also asks ‘Since defensive measures such as antivirus software and firewalls appear unable to stop the Chinese penetrations,does the administration have any plan to address these cyberattacks?’
The sad thing of course is that the examples he gave – firewalls and anti virus – are what Infosec teams spend their money and they think this will do anything whatsoever to stop attackers.
 
At the moment hardly a day goes by without a security breach making the news, even as I write this I am hearing the CIA website has been taken down by a ‘Distributed Denial of Service’ (DDoS) attack by LulzSec. These are unprecedented times, as we are seeing large corporations, government enforcement agencies, banks and even reputable IT security companies being successfully attacked, which goes to validate phrases I regularly use, such as ‘there is no such thing as 100% security’ and nothing can ever be considered as being ‘secure’. My face always etches up with contempt when reading words like “this is a secure website”. So what is going on, why are these breaches occurring now? Are these cyber attacks becoming cleverer and more sophisticated? Are such attacks going to continue? I’ll endeavour to explore and answer these questions in this post.
 
More focuses is needed on network monitoring, outbound filtering, and whitelisting, security experts say
The recent spate of successful cyber attacks against high-profile organizations has focused fresh attention on the need for enterprises to implement new defenses against targeted threats.
Over the last few months several supposedly secure organizations, including RSA, Lockheed Martin, and the Oak Ridge National Laboratory have been victims of major attacks.
Last week the International Monetary Fund joined the list when it admitted to a similar intrusion.
An anonymous IMF source quoted in a story in The New York Times described the incident as a ‘very major breach’ that likely resulted from so-called spear phishing.
 
The recent security breaches on the Fine Gael and DUP websites has once more brought information security to the fore with extensive coverage of both incidents in the media. One of the questions I keep getting asked after such incidents is “how to I ensure my company is secure?”. Making your company, or website, secure is a matter of ensuring the appropriate information security risks have been properly identified and managed. The ISO 27001:2005 Information Security standard provides companies with a structured and proven way to implement and manage an Information Security Management System and provide management and the business with confidence in the security measures that are in place.
 
Infrastructure the most important target for cybercriminals
Germany today launched its new cyberdefence facility in Bonn, dedicated to defending the country’s critical infrastructure, including its electricity and water supply. The facility is believed to be the first of its kind in Europe.
 
Top 5 Ethical Hacking issues  [www.fastiis.org]
The importance of conducting internal security assessments cannot be overstated, in ensuring your network, data and user environment are secure not only from internal staff threats but from the outside world. Many of today’s attack vectors work outbound from client systems, therefore inbound firewall rules may not stop this. It is also vital to ensure that data sensitive information such as H.R or payroll data is not accessible to standard users.
Below are the top 5 most common issues I find when conducting internal infrastructure assessments within Windows based domains.
 
10 most common iPhone passcodes  [www.net-security.org]
Posted on 14 June 2011.The problem of poor passwords is not confined to computer use, and the fact was discovered by an app developer who has added code to capture user passcodes to one of its applications.
 
A brief Sony password analysis  [www.troyhunt.com]
So the Sony saga continues. As if the whole thing about 77 million breached PlayStation Network accounts wasn’t bad enough, numerous other security breaches in other Sony services have followed in the ensuing weeks, most recently with SonyPictures.com.
As bad guys often like to do, the culprits quickly stood up and put their handiwork on show. This time around it was a group going by the name of LulzSec. Here’s the interesting bit:
Sony stored over 1,000,000 passwords of its customers in plaintext
 
Nato is planning to bolster its cyber defence capabilities.
The defence organisation is to assemble a task force to detect and defend against online attacks.
The decision to set up Cyber Red Team coincides with NATO plans to strengthen online defences between its 28 member nations and agree codes of conduct for warfare engagement.

Web Technologies

 
Agile != security  [www.rakkhis.com]
I am going to fail. Agile and security just do not mix, especially secure at source. Agile is all about rapid development, everyone in a room with brown paper plastered across the wall, product backlogs building up while developers code feverishly on today’s priorities. Security works well in a structured environment. We influence through control points and project gates. Oh, you are writing requirements? Let me provide you some from security. Design stage? A threat model and design review. Build we will mostly ignore but test is our Coup de grce. The pen test is the height of security skill where your lovely creations will be decimated! But how do I apply this magnificence to agile when I am called a CHICKEN and thrown out of the room?
 
Back from the latest OWASP Belgium Chapter meeting… Two speakers were scheduled tonight: Colin Watson presented the OWASP AppSensor project then Andreas Falkenberg talked about modern attacks against web services like Twitter. A last-minute guest joined us: Josh Corman who spoke about “rugged software”.
 
In this special Web 2.0 tutorial video, security luminary Robert “Rsnake” Hansen discusses serious Web 2.0 attacks that pose a severe threat to the Web security landscape. This exclusive in-depth presentation looks at an array of attack methods and what can be done to better recognize and secure these threats against your organization
 
A security firm raised new concerns today about WebGL–but Microsoft piled on with an opinion that’s likely more damaging to fans’ hopes for a universal 3D Web graphics standard.
‘We believe that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities,’ Microsoft said today in a security blog post flatly titled ‘WebGL Considered Harmful.’ ‘In its current form, WebGL is not a technology Microsoft can endorse from a security perspective.’
The move effectively kills WebGL fans’ hopes, at least for now, that WebGL could become a standard Web programmers could count on finding in modern browsers. And that means one hot area of programming, games development, won’t have an easy, unified way to tackle Web-based software.
 
A lot of websites are compromised without their owners noticing for days, weeks, even months that the sites are hosting illegitimate content, attacking visitors through malicious code or are being used as a command-and-control channel for a bot network. Below are my 10 tips for detecting that your website was hacked.
 
Mozilla is disabling cross domain textures in Firefox 5’s WebGL implementation after a researcher demonstrated an ability to abuse the capability. A report released in May by Context Information Security on WebGL security included a proof of concept which used cross domain textures as to reconstruct a displayed image without directly accessing the image. The Khronos Group, home to the WebGL standard, responded to the issue saying that it was considering requiring opt-in to Cross Origin Resource Sharing (CORS) or some other mechanism to prevent possible abuse.
 
If you are a professional web developer, security is an important aspect of your job. If you are planning to store critical or sensitive data in your web application (passwords, credit cards, etc.), you should use strong cryptography to protect this data.
But what is strong cryptography and why should we use it? Learn more about strong cryptography in PHP in this session.
Presenter: Enrico Zimuel, Senior Consultant & Architect Zend Technologies
 
Some years ago, everything just went crazy from the Error-based MySQL, and unserialize seemed somewhat complicated and do not occur in real life. Now it’s the classic technique. What can we say about dinosaurs such as zero-byte inkludah, which came to replace the file name truncated. Researchers always something to dig up, invent, and in the meantime has come new version of the interpreter, engines, and with them – new bugs developers.
In fact, there are three methods to find vulnerabilities: Savvy (when a researcher comes up with some trick and check if it works in practice), source code analysis and fuzzing. On an interesting Chinese fuzzingand its development from my side I want to tell.
 
Owning WordPress the easy way  [blog.makensi.es]
According to security lore, relying on the secrecy of usernames to secure accounts is a bad practice. However, the premise of known usernames is not always the case for external attackers. For this reason, from a practical point of view (not the security utopian one) even poor passwords can withstand bruteforce attacks when paired with nonpredictable usernames. This is specially true on remote web logins where brute forcing is easily detected and thwarted by most IPS or CAPTCHAs.
 
Anatomy of a SQL Injection Attack  [www.barracudalabs.com]
As you probably heard from our previous blog posting, Barracuda Networks suffered a breach from a SQL Injection attack on the weekend of April 8. While the overall impact of the breach turned out to be relatively minor (only contact names, including names and emails), such an event always involves a post-mortem. As is often the case in events such as data breaches or data center outages, there is never one single error that leads to the outage or attack but rather a series of interrelated errors that ultimately results in a failure or vulnerability that can be exploited. Taken individually, each event is usually accounted for by the organization and there are redundancies in place to handle any failure issues. However when taken together, the unexpected – in this case an attack on our site – occurs. In analyzing the attack, we observed:
 
Des chiffres et des lettres  [fluxius.handgrep.se]
(on breaking CAPTCHA with python)
In this article, I will only focus on the captcha part, which was a little bit harder to break in a short time
 
More LFIs  [pastebin.com]
Tom Landry® follow @landrytom or visit landrytom.wordpress.com
 
OWASP AppSec EU 2011 review  [pentest4devs.blogspot.com]
OK, OK, I’ve failed miserably to keep this blog even vaguely upto date.
But I’ve just got back from OWASP AppSec EU 2011, so a quick review is a good way to kick it off again.
I’m relatively new to the security ‘scene’ so it was the first major OWASP event I’ve been to, and I didnt really know what to expect.
 
A Report on AppSec Europe 2011  [www.clerkendweller.com]
I arrived back from Dublin on Friday night following a full programme of training, presentations, meetings and networking at AppSec Europe 2011, held in Dublin, Ireland.

Network Security

 
IRM (Incident Response Methodologies)  [cert.societegenerale.com]
CERT Societe Generale provides easy to use operational incident best practices. These cheat sheets are dedicated to incident handling and cover multiple fields on which a CERT team can be involved. One IRM exists for each security incident we’re used to dealing with.
CERT Societe Generale would like to thank SANS and Lenny Zeltser who have been a major source of inspiration for some IRMs.
 
Offensive IDS  [defcon-russia.ru]
Alexey Sintov Slides, Defcon Russia
 
By Darren Anstee of Arbor Networks
Why is it a good idea to us flow information?
You don’t need to invest in new equipment to get flow information
It can be used to detect malware infected hosts, DDoS, zero-day exploits, attack and abuse
Network flows information is generated regardless if there was symmetric or a-symmetic routing
Network flow information is like a phone bill, you cannot tell what has been said, but you can use it to prove who talked to who.
 
 
This is a follow-up post for vSploit – Virtualizing Intrusion & Exploitation Attributes with Metasploit Framework about using Metasploit as a way to test network infrastructure countermeasures and coverage. I mentioned obtaining list of suspicious domains to use for testing organization’s networking intelligence. Simply put, let’s create suspicious traffic to see how organizations respond.
 
Publicado por HD Moore en 14-jun-2011 9:28:30
The Metasploit team is excited to announce a new incentive for community exploit contributions: Cash! Running until July 20th, our Exploit Bounty program will pay out $5,000 in cash awards (in the form of American Express gift cards) to any community member that submits an accepted exploit module for an item from our Top 5 or Top 25 exploit lists. This is our way of saying thanks to the open source exploit development community and encouraging folks who may not have written Metasploit modules before to give it a try.
 
Malware Sandbox Services and Software  [sempersecurus.blogspot.com]
Whether you are performing digital forensics, or just have an interest in malware, a sandbox environment is an essential part of your analysis program. Sandboxing services can save time and provide a quick and easy glimpse into a suspicious files behavior. I received an email this morning from Jose’ Nazario of Arbor Networks where he provided a link to a list made by the folks at Buster Sandbox Analyzer of various sandboxing tools and services. I decided to take that list, check out and update each of the links and provide a brief description of the various services. I also added a few other services that I’m aware of.
 
Commercial sector breakdown (2010 Mandiant data)
Breakdown of IR investigations preformed in 2010 by Mandiant
 
Kyle Randolph here, along with the security team for the Adobe Acrobat family of products. This post will discuss the technical details of the new Protected View added in the Acrobat 10.1 release announced today. Even more technical details are available in the Application Security Library.Protected View builds on Adobe Reader Protected Mode discussed previously in a series of technical posts on the ASSET blog. With Protect View, Acrobat users will benefit from the protection provided by a sandbox when they open untrusted PDF files.
 
 
DEFCON CTF Quals occured at July 3-6 were cool! We took part in the competition together with couple other teams under united name ‘IV’.
53 hours of continuous hacking and reversing, tons of interesting and challenging tasks. We were still submitting tasks in the last seconds and as a result we have passed to the finals, to meet, you guys, in Vegas
 

Forensics / Reverse Engineering

 
Part One in a multi-part series on holistic, multi-disciplinary analysis and reversing.
This post is based on a presentation I gave at the last Thotcon, but was really prompted by a case from a couple days ago. It’s an interesting example of how the same disciplined methodologies for finding malicious traffic on the network also applies to sophisticated situations on the host as well. We’ll examine those methodologies and logic on the host by examining a little app I wrote called LockPick, pictured here and detailed later in this article. As we’ll see, mutex analysis is a VERY powerful way of analyzing systems during Incident Response. They can lead the direction of your analysis when other automated methods fail to do so.
 
Part Two in a multi-part series on holistic, multi-disciplinary analysis and reversing.
The last post, “Mutex Analysis: The Canary in the Coal Mine,” started off showing how you can use mutexes to discover malware that is difficult to locate using more traditional methods and tools. We used a live compromised system for the example and the post came to a relatively abrupt end when it seemed that we stumbled onto a new/unknown type of malware – or at least one that does not seem to have any public exposure or analysis. This post will be “part 2? of our analysis.
 

Cryptography

 
Researchers Andrew M. White, Austin R. Matthews, Kevin Z. Snow, and Fabian Monrose from the Department of Computer Science and the Department of Linguistics at the University of North Carolina at Chapel Hill used an attack, dubbed “Phonotactic Reconstruction”, in their research paper, amusingly subtitled “Hookt on Fon-iks,” to predict clear text words from encrypted sequences. What they did was segment sequences of the VoIP packets into sub-sequences mapped into candidate words, then, based on rules of grammar, hypothesized these sub-sequences into whole sentences. In other words, they were able to reconstruct the conversation by guessing and predicting the original sounds used within the original Skype conversation.
 
Everybody talks about how vulnerable is RSA and the importance of prime numbers envolved in the creation of keys, people knows that the security is based on the complexity of factorization,
some days before I posted how to break a key and people asked me to make a post of it.
We are going to break a RSA key of 256 bits, this size is not too big but is not insignificant in less than 5 minutes, this is another reason to do research in other schemes like discrete logarithm over other algebraic platforms, I have been doing speeches about jacobians of algebraic curves and other abelian varieties.

Wireless Security

 
An assassin waits for his target to walk into range, then presses a button on a radio transmitter, causing the target’s pacemaker to deliver a lethal dose of electricity. Such a scenario may be fictional for now, but as more and more medical implants are designed to wirelessly send and receive data, it becomes increasingly possible. Researchers at the Massachusetts Institute of Technology (MIT) are certainly aware of the dangers of wireless attacks on implants, so they’ve developed a countermeasure – a wearable signal jamming device.
Although some people might think that it would be simpler to just build an encryption function directly into the implants, this would require the devices to draw more power, and could alter their physical form. Emergency response crews would also be unable to communicate with a patient’s implant, unless they were able to obtain that person’s ‘secret code’ – if the encryption was handled by a wearable shield, however, that shield could just be removed and disabled. Additionally, a shield could be used to protect existing implants, that weren’t designed with attacks in mind.
 
DECT Sniffing Dedected  [www.backtrack-linux.org]
Most vendors don’t implement encryption in their devices so one can sniff it with certain hardware and software. For a previous post on the topic, check: http://www.offensive-security.com/backtrack/sniffing-dect-phones-the-details/
Tested on
BackTrack 5 final x86 KDE with Kernel Linux root 2.6.38
Original Dosch&Amand Type II PCMCIA Card
SIEMENS C1 DECT Phones set up in repeater mode
NOTE: This is experimental software which is not very actively supported anymore!

Mobile Security

 
Lookout joins other security firms, releasing a browser for smartphones that can blacklist known phishing sites.
With data showing the effectiveness of phishing campaigns against mobile browsers, security firms have aimed to fill that particular security hole: Symantec, McAfee, Trend Micro, F-Secure and Webroot are among the companies that have released secure browser add-ons for Android phones.
Wednesday, mobile security firm Lookout joined the group by releasing its own secure browser, Safe Browsing, to its security product, Lookout Mobile Security. The update gives mobile users a browser that prevents drive-by downloads and checks Web sites against a list of phishing sites.
 
This presentation was delivered in June 2011 at the Mobile Forensics Conference in Myrtle Beach, SC.
Browse the slide images in the gallery below. A PDF version is available, simply register on the site and then use this link: PDF Download (requires your site login).
 
Most of yesterday, Threat Research Analyst Armando Orozco and I took a closer look at a piece of malware discovered by a university security researcher, Xuxian Jiang of North Carolina State. The malicious code, which the malware creator named Plankton, is embedded into a number of apps that were briefly posted to Google’s Android Market earlier this week, then rapidly pulled down after the researchers informed Google of their initial findings.
 
Smartphones with open operating systems are getting popular with the passage of time. Increased exposure of open source smartphones also increased the security risk. Android is one of the most popular open source operating system for mobile platforms. Android provide a base set of permissions to protect phone resources. But still the security area is underdeveloped. This survey is about the current work done on the Android operating system. Some of the techniques, which can give a positive edge to the security area, are analyzed in the present survey paper. These techniques are basically to provide a better security and to make the Android security mechanism more flexible. As the current security mechanism is too rigid. User does not have any control over the usage of an application. User has only two choices, a) allow all permissions and application will install, b) deny all permissions and installation will fail.

Cloud Security

 
Outlook is Cloudy  [bhconsulting.ie]
Cloud computing has become an exciting evolution in how we deliver, access and use services over the Internet. The Cloud offers organisations many benefits and opportunities. However, these opportunities and benefits do not come without a number of security risks that need to be considered.
Ireland is uniquely positioned to handle these issues. In an article with the CSO Online Magazine titled “Ireland hopes security measures attract big cloud providers” I outline a number of these benefits. In my opinion these benefits include the high quality of information security professionals that are based here, our experience in managing and running large datacentres and the cloud security research that is going on in various universities.
 
Last week, while teaching the CCSK (cloud security) class, the discussion reached a point I often find myself in these days. We were discussing the risk of cloud computing, and one of the students listed “less control” as a security risk.
To be honest, this weaves itself through not only the Guidance but most risk analyses I have seen. And it’s not limited to cloud discussions. One of the places I hear it most often is in reference to mobile computing – especially iOS devices.
 
Cloud thoughts  [isc.sans.org]
The cloud means a number of different things to different people. For some it is the new frontier, the way forward. For others it is outsourcing by a different name and even less control over what happens in the cloud. In true security fashion and one of my favourite answers, it depends. The reality however is that it is inevitable, in some aspects of your work you will come into contact with the cloud, or you will be asked to secure it.

Privacy / Censorship

 
Boxee is an application for streaming video from the Internet and from machines on your local network. I run it on my HTPC. I recently noticed some strange HTTP traffic originating from my HTPC. Whenever you attempt to watch a programme with Boxee, a HTTP POST request is made to http://app.boxee.tv/action/add containing XML in the POSTed data, of the following format:
 
IDG News Service – Justice Ministers across Europe want to make the creation of ‘hacking tools’ a criminal offense, but critics have hit back at the plans, saying that they are unworkable.
 
The Nissan LEAF all-electric car is full of technological firsts. One of which is a GSM cellular connection to the internet for providing voluntary telemetry information to Nissan, new charging stations, competitive driver rankings, and even RSS feeds. This is called Nissan CARWINGS.
However, before you start plugging in your favorite RSS feed sources, there is something you need to be aware of.
 
Between the bank holiday weekend and the Sunday Times paywall Mark Tighe’s story last week revealing that the Data Protection Commissioner is investigating the Eircom / IRMA three strikes system didn’t receive the attention it deserved. However the investigation has the potential to entirely derail the system and needs to be considered further.
First, the background. I’m disappointed but not surprised to find that my 2009 prediction – that Eircom would end up falsely accusing innocent users – has come to pass in relation to 300 users:

Security FAIL

 
The European Commission is capable of the worst as best ideas! A few days ago, they announced the imminent setup of a CERT (“Computer Emergency Response Team”) to protect the institutions, agencies and bodies against cyber-attacks. Good idea!
But, a few days ago, a press-release announced that Justice Ministers, who met last week, want to create a law to fight the creation of “hacking tools”
 
Major security breach at the French SSL authority
A French provider of SSL certificates appears to have made a bit of a boo-boo in its webserver configuration: publishing its private key for the world to see, and opening up a potentially serious security hole in the world’s web browsers.
Sadly, French SSL specialist Certigna appears to have failed to keep its secret under lock and key. A visit to the site’s revocation list page – which is fully publicly accessible via a standard web browser – allows anyone and everyone to download the private key and other supposedly secret files, potentially enabling the creation of their own valid Certigna-signed SSL certificates.
 
Smart grid (in)securities  [www.csoonline.com]
As the power grid becomes more intelligent, it also becomes more dangerous.
The U.S. is rapidly moving forward on its smart grid initiative. At the White House Grid Modernization event earlier this week, U.S. Department of Energy Secretary Steven Chu touted how smart meters will provide utility companies with greater information about energy flows in their service areas, and give consumers access to timely data about their own power usage.
Few doubt the potential benefits. But at what cost to new risks and shenanigans caused by hackers, pranksters, attacks on power distribution by adversarial nation-states or terrorists that wish to unleash havoc on the system? Essentially, as hundreds of millions of smart meters and devices get connected to the power grid, it introduces entirely new risks to the system. ‘You are increasing the attack surface with every new device connected to the grid,’ says Eric Knapp, director of critical infrastructure markets for NitroSecurity.
 
The customer data made available via FTP can easily be found using Google. According to a report from The Hacker News, the personal data of approximately 40,000 Acer customers were made available online via the company’s Acer-Euro.com FTP server. The 13 MB ZIP archive contained an Excel spreadsheet with the various customer details, including first and last names, country of residence and email addresses, as well as product model and serial numbers owned by these customers.

Off Topic

 
THE TRUE SIZE OF AFRICA  [www.informationisbeautiful.net]

Funny

 
 
Geeks  [ars.userfriendly.org]
 
Star Wars in icons  [www.bitrebels.com]
 
 
Hassel-lado  [wtf.microsiervos.com]
 
Sing along!  [lulzsecurity.com]
Lulz, exciting and new,
come aboard, we’re expecting you.
Lulz, life’s sweetest reward,
let it flow, it floats back to you.
 
EU Assembling CERT  [www.liquidmatrix.org]