Security Weekly News 3 June 2011 – Full List

Category Index

Hacking Incidents / Cybercrime

The far-reaching fraud serves as a cautionary tale for all consumers who entrust virtually their entire financial lives to major companies.
Andrew Goldstein has been a Bank of America customer for more than four decades. He’s grown up with the bank, trusted it, relied on it to be there for him through thick and thin.
So it was with more than a little shock that Goldstein, 60, learned the other day that a BofA employee apparently leaked confidential information about his and hundreds of other customers’ accounts to scammers, resulting in more than $10 million in losses.
China admits cyber warfare unit  [www.channel4.com]
China admits for the first time that it has an elite unit of cyber warriors in its army, as an intelligence source tells Channel 4 News the threat is real, potent, and will be utilised in warfare.
Attacks targeted email contents and contacts
Microsoft has patched a bug in its Hotmail email service that attackers were exploiting to silently steal confidential correspondences and user contacts from unsuspecting victims.
Recopilación de los ataques a Sony (Spanish)  [www.securitybydefault.com]
Tras más de un mes esperando al momento adecuado para hablar sobre todo lo que estaba ocurriendo, en vez de un post, deberíamos haber dedicado una wiki única y exclusivamente a todos los problemas de seguridad a los que se está enfrentando Sony, y todo lo que le rodea, durante este último mes.
Okay, okay. Sony has had a lot to deal with of late, what with its Playstation network being hacked and subsequently being taken offline for quite some time. But we believe that Sony has been hacked yet again, this time its Sony Thailand’s website.
As security firm f-secure reports, Sony Thailand’s hdworld.sony.co.th URL has a phishing site running on it, leading to an Italian credit card company.
90 email addresses accessed
Sony’s So-Net Entertainment subsidiary was hacked by intruders who made off with about $1,200 worth of virtual points, The Wall Street Journal reported on Friday.
The hacker stole the points from about 128 accounts and was able to read email from about 90 accounts, the Associated Press said.
Sony has released a revised forecast for the now-finished fiscal year, noting that the company is expected to post a $3.1 billion loss, instead of the $857 million in profits forecasted back in February.
‘Based on information currently available to Sony, our currently known costs associated with the unauthorized network access are estimated to be approximately ¥14 billion ($171.4 million) the fiscal year ending March 13, 2012,’ Sony explained on a slide describing its losses. This does not include costs associated with lawsuits filed against the company, as the outcome of that litigation is hard to estimate for either side.
Eidos has revealed that resumes of job hunters and email addresses of video game fans have been stolen by hackers in an attack on the Eidos and ‘Deus Ex: Human Revolution’ websites.
Square Enix, the parent company of Eidos, confirmed the hack in a PDF press release. (Why do companies publish their press releases as PDFs, anyway? That’s just daft.)
The Wall Street Journal is reporting that search giant Google is close to reaching a settlement with the U.S. Justice Department over an investigation of the company’s policy of running ads from online pharmacies that operate outside U.S. borders and in violation of U.S. law.
Google has not made a public statement regarding a settlement of the suit. However, the company did include a one time $500m payment in its recent quarterly income filing (10-Q) to the Securities and Exchange Commission (SEC). The payment, listed under ‘expenses’ was for a ‘charge related to potential resolution of Department of Justice investigation.’
Lately I have been interviewed by a few newspaper type organizations in relation to the Playstation attacks. This is because back in February I commented on IRC (chat network) that Sony needs to fix their servers because they are running known vulnerable software and advertising the versions of that software and its modules to the world. I specifically addressed those comments to Sony knowing that Sony was monitoring at that time. Investigators from the law firm Sony hired to go after George Hotz and Fail 0verflow were seen in there as well as Sony employees.
A hacker is claiming that a security hole in a server at NASA’s Goddard Space Flight Center has exposed data related to a satellite-based Earth observation system used to aid in disaster relief.
The hacker, who uses the handle ‘Tinkode’ has published a screen capture from what he claims is an FTP (File Transfer Protocol) server at NASA’s Goddard Center. The hack comes exactly a month after the same hacker exposed a similar hole in a server operated by the European Space Agency.
Hackers have broken into two websites belonging to Japanese video games maker Square Enix.
The company confirmed that the e-mail addresses of up to 25,000 customers who had registered for product updates may have been stolen as a result.
Resumes of 350 people applying for jobs in its Canadian office could also have been copied from the web servers.
Square Enix, which makes the popular Final Fantasy, Deus Ex and Tomb Raider games, apologised for the breach.
In a statement, it said: ‘Square Enix can confirm a group of hackers gained access to parts of our Eidosmontreal.com website as well as two of our product sites.
‘We immediately took the sites offline to assess how this had happened and what had been accessed, then took further measures to increase the security of these and all of our websites, before allowing the sites to go live again.’
Hackers who breach and cause substantial harm to critical infrastructure systems would face a mandatory minimum three-year prison sentence if the White House gets its way.
The Obama administration is requesting the mandatory prison sentence in a legislative proposal it submitted to Congress on Thursday, which outlines a long but vague list of cybersecurity provisions the White House would like included in upcoming bills. The list includes a number of changes to laws governing hacking (.pdf), as well as laws authorizing the federal government to assist private companies in securing their computer networks when asked to mitigate threats.

Unpatched vulnerabilities

Description: There exists a vulnerability in all versions of user. An attacker can execute arbitrary code on a system by sending a specifically crafted message to a vulnerable user.
Exploit: There are numerous exploits in the wild.
Remediation: Patches do not currently exist. For workarounds, see below.
Advisory Id: TALSOFT-2011-0526
Date published: 2011-05-26
Vendors contacted: WordPress
Soghoian, PGP founder say no bargepole is long enough
Updated Popular cloud storage service Dropbox is misleading users into thinking it is more secure than it really is, says a security researcher and academic, who has asked for the FTC to investigate.
Dropbox has around 25 million users. It’s often used as an escape hatch by owners of Apple’s iPhone and iPad: the iOS slabs don’t expose the device’s local file system or provide the end user with a way of manipulating files.
‘Dropbox’s customers face an increased risk of data breach and identity theft because their data is not encrypted according to industry best practices,’ says Christopher Soghoian, who filed the complaint

Software Updates

Cisco has released a security advisory to address a vulnerability in the web server component of the Cisco Internet Streamer application, which is part of the Cisco Content Delivery System. This vulnerability may allow an attacker to cause a denial-of-service condition.
US-CERT encourages users and administrators to review Cisco security advisory cisco-sa-20110525-spcdn and apply any necessary updates or workarounds to help mitigate the risks.
WordPress 3.1.3 is available now and is a security update for all previous versions. It contains the following security fixes and enhancements:
Adobe has released updates for Flash Player and Flash Media Server to address multiple vulnerabilities. These vulnerabilities affect Adobe Flash Player 10.2.159.1 and earlier versions for Windows, Macintosh, Linux, and Solaris; Adobe Flash Player 10.2.157.51 and earlier versions for Android; Adobe Flash Media Server 4.0.1 and earlier versions; and Adobe Flash Media Server 3.5.5 and earlier versions for Windows and Linux. Exploitation of these vulnerabilities may allow an attacker to cause a denial-of-service condition or execute arbitrary code.
Users that think their system may be infected can run Microsoft’s Standalone System Sweeper tool. Microsoft has published a beta of its Standalone System Sweeper software, a bootable recovery tool that can be used to identify and remove rootkits, as well as other advanced malware. The bootable anti-virus solution uses the same AV engine as Microsoft Security Essentials (MSE) and supports both 32- and 64-bit installations of Windows.
In an earlier post I outlined 6 free local tools for examining PDF files. There are also several handy web-based tools you can use for analyzing suspicious PDFs without having to install any tools. These online tools automate the scanning of PDF files to identify malicious components. The list includes PDF Examiner, Jsunpack, Wepawet and Gallus.
w3af – And now, with a stable core  [blog.spiderlabs.com]
Since our latest w3af release in mid January, and our new windows installer release a couple of months ago, we’ve got lots of encouraging words telling us we are going in the right direction. The objective was near and we could almost taste it. Having a stable code-base is no joke, it requires countless hours of writing unit-tests, running w3af scripts and most importantly: fixing bugs. Now, finally we’re here! https://community.rapid7.com/community/w3af/blog/2011/06/25/w3af–and-now-with-a-stable-core
Announcing Release of ModSecurity v2.6.0
The ModSecurity Development Team is pleased to announce the availability of ModSecurity 2.6.0 Release. This is the first release from the 2.6 branch which improves on the functionality of ModSecurity and introduces some new features. Some highlights:
* Google Safe-Browsing API Integration:Protection for users and content providers from malicious links
* Sensitive Data Tracking: Ability to identify and track US Social Security Numbers
* Data Modification: Ability to change data on-the-fly, before delaivery, in order to better control outgoing content according to security policies
DOMinator Virtual Appliance  [sourceforge.net]
DOMinator Virtual Appliance is a Virtual Machine image file which can be used to see DOMinator in action. DOMinator is is a Firefox based software for analysis and identification of DOM Based Cross Site Scripting issues (DOMXss).
For those still running Python 2.5.x, the release of Python 2.5.6 is likely to be the last release of Python 2.5; after October 2011 there will be no more security issues fixed in Python 2.5 and it is recommended that users update to Python 2.7.1, which is the latest version of the current Python 2.x series.

Business Case for Security

European member states must work harder to establish national Computer Emergency Response Teams (CERTs) by 2012 if they are to meet the European Commission’s expectations for critical infrastructure protection, according to a new EC review.
The report looks at efforts by member states to meet the goals of its 2009 action plan, designed to ensure that Europe is prepared for and resistant to attacks on its critical information infrastructure.
Ireland’s Computer Emergency Response Team is now receiving up to 10 alerts per day from Irish businesses coming under attack by having their systems compromised to host phishing websites or to distribute malicious software.
Small and medium-sized businesses, in particular, are being targeted by criminals who exploit weaknesses in the companies’ websites, according to the Irish Reporting and Information Security Service Computer Emergency Response Team (IRISS-CERT)
Bank of America Breach  [pauldotcom.com]
Please take a moment and read the following article on the current Bank of America breach:
There are two main points we need to take from this. First, the insider threat is real. It is also incredibly hard to detect and react to. We have been pushing for quite some time at PDC to move beyond simple IDS/IPS/AV tactics. This story only serves to re-enforce this view.
It’s the human threat, stupid  [www.csoonline.com]
Eric O’Neill, the former FBI operative who played a crucial role in the arrest and conviction of FBI agent Robert Hanssen for spying against the U.S. for the former Soviet Union and Russia, says security can’t rely on tech alone.
Anyone who has worked to defend enterprise secrets from theft knows that the answer to success certainly doesn’t come from technology alone.
Few know this better than Eric O’Neill. O’Neill is the former FBI operative who worked as an investigative specialist and played a crucial role in the arrest and conviction of FBI agent Robert Hanssen for spying against the U.S. for the former Soviet Union and Russia. The 2007 movie ‘Breach’ was based on O’Neill’s experience investigating Hanssen.
‘The human element is usually the weakest link,’ O’Neill said yesterday at the 2011 Computer Enterprise and Investigations Conference (CEIC) 2011.
Not doing Code Reviews? What’s your excuse?  [swreflections.blogspot.com]
All of us have known for a long time that code reviews find defects, and that reviews are cheaper and can be more effective than most kinds of testing. In Code Complete, Steve McConnell builds an overwhelming case for code reviews: disciplined code inspections can find between 45%-70% of all defects in code, while even fast, informal reviews can find 20%-30%. Studies at IBM, HP, Microsoft and other places show that it is several times cheaper to find bugs in code reviews than through testing. And evidence keeps coming in to support that code reviews work.
New Breach Notification Law  [webmedia.company.ja.net]
The Privacy and Electronic Communications (EC Directive)(Amendment) Regulations 2011 have now been published, amending the previous Privacy and Electronic Communications (EC Directive) Regulations 2003 as required by the new EC Telecommunications Directives.
As well as new law on cookies that has been discussed previously (Regulation 6), the regulations introduce into UK law a requirement to notify the Information Commissioner, and in some cases the affected users, of breaches affecting the security of personal data. For now, this law only applies to providers of public electronic communications services, but the European Commission are keen that similar requirements be extended to all other organisations handling personal data. So it’s probably worth planning for when (not if) these requirements come to cover all of us.
To define your framework, take Willie Sutton’s advice and go where the money is. In our case, risk and security lay with the IT and information assets in our environment.
For years now, security professionals have been in agreement that a security metrics program is an increasingly important tool to manage the security posture in an environment. We like to cite too-true cliches like ‘you can’t manage what you don’t measure’ and sing ‘Kumbaya’ together about the virtue and benefits of programs. And yet there really aren’t many success stories out there.
Forget the intrusion detection kit, start talking to your employees
The majority of UK workers have no instruction from their employers on how to protect themselves from data loss or malicious software, according to research.
A snapshot survey of 700 UK workers reveals that nearly two thirds (64 percent) do not receive any training or material to educate them on IT security issues, such as how to avoid downloading malware or how to prevent the loss of sensitive data.
Password Managers and Security go hand in hand in this day of age. Due to my Google Account recently getting compromised, I’ve put in quite a bit of research in the solutions you can implement to secure yourself on the Internet. As a plus, these solutions also add an extra level of usability while browsing the net.
The solutions I’ll share my research over:
1. 1Password
2. Lastpass
3. Keepass
4. Passpack
5. Your mind
The two main questions I test these solutions against:
1. How secure is it?
2. How usable is it?
CISOs should take a military’s observe, orient, decide and act concept and apply to corporate network security, Interop presenter says
Businesses need to look at security as a military exercise and can benefit from strategies that have proved useful in battle, a former military security expert told an Interop audience this week.
‘This is a chess match,’ says Barry Hensley, a retired U.S. Army colonel who was in charge of the army’s global network operations and security center. He is now vice president of Dell SecureWorks’ Counter Threat Unit. ‘Can you lock down a network? Probably not. Can you defend a network? Yes you can.’
He recommends using a military combat concept called observe, orient, decide and act (OODA) that can give businesses a framework for detecting attacks quickly, figuring out what to do about it, doing it and moving on to deal with the next attack. ‘If you can OODA before the enemy can, I believe you can defend a network,’ Hensley says.
There has been a surge in interest with the world of the Navy SEALs since the Osama bin Laden action (this piece in the WSJ was a particularly good profile) and I confess to being caught up in it myself. One of my portfolio company CEOs, Will Tumulty of Ready Financial, is a former Navy SEAL (1990-1995). Will was kind enough to introduce me to a SEAL classmate of his, Brendan Rogers (SEAL 1990-2000), who joined me and 20 NYC CEOs/founders from the tech scene last night to talk about the SEALs – the training, the planning and the operations behind their combat operations – as well as draw out some relevant lessons for entrepreneurs. Brendan went on to HBS and McKinsey after the SEALs and then started his own hedge fund with a partner, so he had an interesting, multi-faceted perspective.
The discussion was wide-ranging and entertaining. The five key lessons Brendan highlighted were as follows:
80% training, 20% execution. SEALs are incredibly well-trained and when they are not on acutal combat deployments, they are spending the vast majority of their time training for a number of different types of missions. In contrast, at start-ups, executives typically spend 100% of their time executing and 0% of their time training. Brendan emphasized the importance of training and practice in all areas – employee onboarding, management practices, etc.

Web Technologies

The best exploits are often not exploits at all — they are code execution by design. One of my favorite examples of this is a signed java applet. If an applet is signed, the jvm allows it to run outside the normal security sandbox, giving it full access to do anything the user can do.
Metasploit has supported using signed applets as a browser exploit for quite awhile, but over the last week there have been a couple of improvements that might help you get more shells. The first of these improvements is replacing RJB signing (which requires a JDK and was somewhat difficult to get working) with OpenSSL (which works out of the box with a default Ruby installation). That led directly to the second major improvement: once the RJB dependency went away, it was a lot easier to support user-supplied certificates.
A study of what really breaks SSL  [blog.ivanristic.com]
Earlier this year, we at SSL Labs conducted a second, much deeper survey of SSL usage. (I can now say ‘we’ and really mean it, because most of the work on the survey was done by my Qualys coleague, Michael Small.) I presented the results last week at Hack In the Box Amsterdam:
Cookiejacking  [sites.google.com]
Back from Swiss Cyber Storm and Hack in the Box conferences, it’s time to post about my conferences speech.
Q: What is Cookiejacking?
A: Cookiejacking is a UI redressing attack that allows an attacker to hijack his victim’s cookies without any XSS.
Any cookie.
Any website.
Ouch.
Chrome 11 Anti-XSS ByPass  [seclists.org]
During the creation of a hacking challenge about XSS we had to figure out how to bypass the new AntiXSS filter in
Google Chrome. It was included in the latest release and we were in the middle of a hacking challenge about XSS and Sesion Fixation. We were thinking about to change the rules of the game, but, we managed to bypass the filter in an easy way, so we didn´t change it and players were also able to discover it. This is the ‘how’:
The SharePoint Hacking Diggity Project is a research and development initiative dedicated to investigating the latest tools and techniques in hacking Microsoft SharePoint technologies. This project page contains downloads and links to our latest SharePoint Hacking research and free security tools. Assessment strategies are designed to help SharePoint administrators and security professionals identify common insecure configurations and exposures introduced by vulnerable SharePoint deployments.
Attacking webservers via .htaccess  [www.justanotherhacker.com]
A while back I was testing a CMS that had a curious feature, all uploaded files were placed in their own directory. This was not a security enhancement as the application allowed php files to be uploaded. However I coudn’t help ask, what if php uploads had been restricted? The answer was .htaccess files. Using SetHandler in a .htaccess file is well known, but does not lead to remote code execution. So after some thinking I put together some self contained .htaccess web shells. I wrote both a php and a server side include shells, but other options can easily be added (jsp, mod_perl, etc)
When the IE team talks about Cross-Site-Scripting (XSS) attacks, we’ve usually grouped them into three categories
* Type 0: DOM-based XSS
* Type 1: “Reflected” XSS
* Type 2: Persistent/Stored XSS
DOM-APIs like toStaticHTML enable pages to protect themselves against Type 0 attacks. The Internet Explorer XSS Filter can block Type 1 attacks by detecting reflected script and neutering it. Servers can protect themselves against Type 2 attacks using the Anti-XSS library to sanitize stored data.
It turns out, however, that there’s a fourth type of XSS attack: Socially-engineered XSS. In a socially-engineered XSS attack, the user is tricked into running an attacker’s JavaScript code in the context of the victim site. Even if a site follows best-practices to block XSS Types 0, 1 and 2, they may still be vulnerable to Socially Engineered XSS attacks.
Most high-profile cyberattacks are enabled by flaws in computer systems? software, so-called software vulnerabilities in the application layer. As a preliminary step towards addressing the problem of software vulnerabilities, we have compiled a list of existing initiatives focused on finding and preventing software vulnerabilities. This document provides a comprehensive list of different SSE initiatives, with a focus on the EU,but also including some major US and global SSE initiatives.
Summary
Basic upload form in Flickr.com was vulnerable to CSRF. Visiting a malicious page while being logged in to Flickr.com (or using Flickr.com ‘keep me signed in’ feature) allowed attacker to upload images or videos on user’s behalf. These files could have all the visibility / privacy settings that user can set in Basic Upload form. Uploading files did not require any user intervention and/or consent.
LinkedIn SSL Cookie Vulnerability  [www.wtfuzz.com]
LinkedIn is a business-oriented social networking site. Founded in December 2002 and launched in May 2003, it is mainly used for professional networking. As of 22 March 2011, LinkedIn reports more than 100 million registered users, spanning more than 200 countries and territories worldwide.
There exists multiple vulnerabilities in LinkedIn in which it handles the cookies and transmits them over SSL. This vulnerability if exploited, can result in hijacking of user accounts, and/or modifying the user information without the consent of the profile owner.
‘Canonical’ hacks  [blog.stopbadware.org]
The following is a guest blog post by Denis Sinegubko, a malware researcher, security blogger, and software developer. Denis is the creator of Unmask Parasites, a free tool for checking websites for badware.
Matt Cutts, the head of the webspam team at Google, recently tweeted about a new black hat SEO trick:
“A recent spam trend is hacking websites to insert rel=canonical pointing to hacker’s site. If U suspect hacking, check 4 it.”
A few days later, he wrote about it in his blog post about rel=canonical corner cases.
If Matt Cutts pays so much attention to this and calls this a trend (not just individual cases) it’s definitely something worth looking into. So I decided to find more information about this “canonical” issue.
Computer scientists have developed software that easily defeats audio CAPTCHAs offered on account registration pages of a half-dozen popular websites by exploiting inherent weaknesses in the automated tests designed to prevent fraud.
Decaptcha is a two-phase audio-CAPTCHA solver that correctly breaks the puzzles with a 41-percent to 89-percent success rate on sites including eBay, Yahoo, Digg, Authorize.net, and Microsoft’s Live.com. The program works by removing background noise from the audio files, allowing only the spoken characters needed to complete the test to remain.
The Insecurity of Google’s ClientLogin Protocol
Google announced that they are going to fix the issue also for devices with older Android versions. The fix does not require an update of the Android OS and will be transparent to the user. So, as far as we know, users will not get any feedback when the update will be available on their devices. The fix is based on a changed configuration file for Google services on the device. The update mechanism might be similar to the application removal or Android Cloud to Device Messaging (C2DM) features. The update will only ensure encrypted synchronization of Calendar and Contacts. The Picasa synchronization, which was integrated in Android 2.3, will remain unencrypted.
Cryptographic side channel attacks usually leverage state changes on the system to get additional sources of information than can lead to shortcuts for breaking the cipher. Cache attacks for example, exploit the inter-process leakage of memory access patterns. We sure won’t be elaborating more on this from this blog. Concept to grasp here: cache hit or miss events can be useful, and not only for Cryptanalysis.
Privacy-wise, any additional sources of information can come in handy for tracking purposes (as we’ve seen before). Third party cookies help advertising companies to hinder our ability to remain untraced while skipping from one website to another
During a recent security test [1] I found a Tomcat server with default username and password, great I thought, easy shell. I fired up Metasploit, chose multi/http/tomcat_mgr_deploy, pointed it at the server and let it go. Bang, fail. I’ve never had this fail before so I checked my options and fired it off again, fail again. I checked the options again and the server and found it was a Linux x86_64 box but the 64 bit payload appeared to be broken. So I tried the generic payload, still nothing.
Deobfuscating the Facebook Spam Script  [www.kahusecurity.com]
The latest Facebook spam Javascript code was sent to me. Apparently there are two versions, one was obfuscated while the other wasn’t. Lucky me, I get the obfuscated one!
My first thought was “wow, nice obfuscation but should be easy to get around”. Ha, no such luck. The second layer is worst than the first. Do you see the fifth line from the top on the right-hand side? It’s callee!
ESAPI 2.0GA IS RELEASED!  [yet-another-dev.blogspot.com]
Friends, Romans, Countrymen – Lend me your ears!
It is my pleasure to announce the official release of ESAPI 2.0GA!
This release features some key enhancements over ESAPI 1.4.x including,
but not limited to:
* Upgrade baseline to use Java5
* Completely redesigned and rewrote Encryptor
* New and Improved Validation and Encoding Methods
* Complete redesign of the ESAPI Locator and ObjectFactory

Network Security

Many operating systems use the EUI-64 algorithm to generate IPv6 addresses. This algorithm derives the last 64 bits of the IPv6 address using the MAC address. Many see this as a privacy problem. The last half of your IP address will never change, and with MAC addresses being somewhat unique, the interface ID becomes close to a unique ‘cookie’ identifying your system.
As a result, RFC3041 introduces ‘privacy enhanced’ addresses which will change and are created by hashing the MAC address. Of course, each operating system has its own way to enable privacy enhanced addresses.
I’ve just published two new IETF Internet-Drafts, that document the
problem of RA-Guard evasion, and propose mitigations.
They are two Internet-Drafts:
* ‘IPv6 Router Advertisement Guard (RA-Guard) Evasion’
* ‘Security Implications of the Use of IPv6 Extension Headers with IPv6
Neighbor Discovery’
CPNI (http://www.cpni.gov.uk) has published the ‘Security implications
of IPv6′ viewpoint document, which is basically an excerpt of a
technical report on which I have been working during the last couple
of years, and we’ll be published anytime soon.
Threats ‘affect every industrialized nation’
A security researcher who voluntarily canceled a talk about critical holes in Siemens’ industrial control systems has criticized the German company for downplaying the severity of his findings.
“The vulnerabilities are far reaching and affect every industrialized nation across the globe,” Dillon Beresford wrote in an email posted to a public security list. “This is a very serious issue. As an independent security researcher and professional security analyst, my obligation is not to Siemens but to their consumers.”
Introducing msfvenom  [community.rapid7.com]
The Metasploit Framework has included the useful tools msfpayload and msfencode for quite sometime. These tools are extremely useful for generating payloads in various formats and encoding these payloads using various encoder modules. Now I would like to introduce a new tool which I have been working on for the past week, msfvenom. This tool combines all the functionality of msfpayload and msfencode in a single tool.
Merging these two tools into a single tool just made sense. It standardizes the command line options, speeds things up a bit by using a single framework instance, handles all possible output formats, and brings some sanity to payload generation.
Mandiant’s Redline  [blog.zeltser.com]
Mandiant’s free Redline tool is designed for “triaging hosts suspected of being compromised or infected while supporting in-depth live memory analysis.” The new utility is meant to replace Audit Viewer, which was Mandiant’s earlier memory analysis tool. Both programs rely on Memoryze for capturing the memory image of the live Windows host, though they can also examine “dead” memory image files.
A diferencia de la versión Pro de Metasploit, una de las limitaciones a la hora de “pivotear” conexiones desde Meterpreter por medio de route es el tipo de herramientas que podemos usar a través del pívot. Esto es debido a que cualquier herramienta que use raw sockets no funcionará a través del túnel, estando limitados a conexiones TCP y UDP que realicen una “conexión completa” (connected sockets). En el caso de Nmap, por ejemplo, implica que únicamente podemos realizar escaneos de tipo TCP connect (-sT) por medio de socks4 y proxychains, pero será inútil utilizar switches como -sS (syn scan), -O (OS detection) o similares. Aunque otra opción es utilizar portforwarding (portfwd) mediante el cual mapear puertos locales con los de la víctima, estamos limitados a conexiones TCP, por lo que esto también reduce opciones a la hora de elegir herramientas que empleen UDP. En nuestro caso lo que haremos será preparar un entorno que nos ayude a “forwardear” peticiones DNS desde herramientas que hagan uso de UDP (nmap, dnsenum, etc) a través de Meterpreter.
Organizations large and small utilize social media for interacting with current and prospective customers, recruiting employees and tracking the sentiment regarding the organization’s products and services. (In this context, social media includes blogs as well as social networking sites such as Facebook and Twitter.) As a security professional, you can also use social media for a related purpose: keeping track of malicious activities and threats against your organizations that attackers sometimes discuss publicly.
When I first started on this post, I intended to write about some fun things one can do with a $30 Rosewill IP camera (RXS-3211). While I still intend to do this in the near future, I decided instead to document an interesting password disclosure vulnerability I found that appears to affect at least 150 different IP-based surveillance cameras. This vulnerability allows a remote, unauthenticated attacker to read and/or change the administrator password on affected devices by sending a single UDP packet. This gives an attacker full control over the device, including access to the video streams. Relatedly, a passive attacker on the local network can retrieve the current password without a MITM attack if the device is currently being administrated.
We have mentioned the ‘Microsoft Support’ scams a few times over the last 6 months or so (http://isc.sans.org/diary.html?storyid=10135), but a recent change in their operations grabbed my interest. A colleague of mine mentioned that other day that he had been the recipient of the mystical ‘Microsoft Support’ call to inform him that they had received an alert from his computer. It was the usual scenario, with a twist.
In previous iterations of this scam the person on the phone would get you to click through to the event viewer to ‘find something red’. Strangely enough there is usually something red in most people’s event log log. However, do not despair if you don’t have anything red, yellow is just as bad. Once the problem (well any problem) was identified your support would have expired and they redirect you to a web site where you can part with your money and download some version of malware.
To date, a major gap exists in vulnerability standardization: there is no standard framework for the creation of vulnerability report documentation. Although the computer security community has made significant progress in several other areas, including categorizing and ranking the severity of vulnerabilities in information systems with the widespread adoption of the Common Vulnerabilities and Exposures (CVE) [1] dictionary and the Common Vulnerability Scoring System (CVSS) [2], this lack of standardization is evident in every vulnerability report, best practice document, or security bulletin released by any vendor or coordinator. In this white paper, a common and consistent framework is proposed for exchanging not just vulnerability information, but any security-related documentation.
RTIR is the incident handling and ticketing system used by JANET CSIRT, and builds upon the popular open source ticketing system RT. RTIR was originally developed for JANET CERT by Best Practical, with further development guided by the RTIR Working Group as part of TF-CSIRT.
Attacks can’t be avoided, but can be mitigated.
French bank Societe Generale has released a guide to help businesses prepare and defend against Distributed Denial of Service (DDoS) attacks.
The guide covers preparation, identification, containment, remediation, and aftermath and is the fourth incident response management document released by the bank.
There is a lot of malware out there, and sometimes it’s very difficult for security researchers or AV-vendors to estimate the extent of such a threat (eg. a trojan). One technique to do is called sinkholing: The goal is to register malicious botnet domains proactively or reactively to prevent the criminals exerting command and control over hijacked/infected computers, and at the same time warn ISPs of infected computers.
I’d like to come back to an issue I faced yesterday with one my servers. I think that this story could be a good example as part of an IPv6 awareness program…
One of my servers in my home lab runs several virtual machines. This server is reachable from outside via a VPN. On Sunday morning, I tried to access from a remote location and was ejected with a nice “connection timeout” for the SSH port. After some checks, the server looked to be ok, all the other services were running fine, the VM’s were working as expected.
Over the last few weeks there’s been a lot of commentary around the breach of Sony’s PlayStation Network. Sadly, there has been no good discussion of how PSN was breached. What this breach means for Sony is largely defined by how it happened. Before we get to that though let’s go over a quick timeline of some of the important points in the breach’s timeline.
Previously, we have discussed using FOCA to perform reconnaissance on a target company. FOCA is a windows-based tool. Some people would find this unfortunate. But, since BackTrack (our penetration testing linux distribution of choice) is Ubuntu-based, we smart hackers can install a Windows emulation environment called ‘wine’ to install Windows-based software. Here’s how:
INSTALLING WINE IN UBUNTU / BACKTRACK
Wine is one of the easiest packages to get installed in Ubuntu. Simply open up a terminal and enter the following text to install wine:
sudo apt-get install wine
And, because we’ll need ‘rar’ installed later on to handle an archive we download, enter the following text in the terminal to download and install ‘rar’
sudo apt-get install unrar
Thinking about that i’ve decided to gather a list, the most complete I could, with all vulnerable pentesting tools I could find. They are categorized based on the type of application like Web Pentesting, War Games and Insecure Distributions. Due to the amount of tools I won’t be doing any previews because it would delay this post a lot and make it a little boring to read. I’m gonna review every tool with complete labs later on in future posts.
Professional online criminals  [www.f-secure.com]
Some of the most common banking trojans we run into are versions of ZeuS (ZBot) and SpyEye. These are not your average bots. They are commercially developed crimeware. The trick is that the groups that develop and sell ZeuS and SpyEye do not use them themselves.
Sorting Packet Captures with Scapy  [www.packetstan.com]
Today I spent a little time looking into a packet capture supplied by Vivek Ramachandran at SecurityTube. This packet capture is part of a series of WiFi hacking challenges he is putting together, and immediately after opening it I got freaked out.
Normally, packet captures are sorted by their capture timestamp, though there is no requirement for that to be the case. In Vivek’s challenge, the packet capture appears to be intentionally out-of-order to make analysis more difficult. You can open it up in Wireshark and sort by the timestamp column, but it makes it impossible to apply packet filters such as ‘frame.number < 10000’ since the frame number isn’t related to incrementing timestamps.

Database Security

DBAs lack understanding of change control, patch management, ISUG study says
Database administrators still don’t get security, according to a study published Wednesday.
Many DBAs and general IT decision makers admit they know little about critical database security issues, such as change control, patch management, and auditing, the survey says.
Conducted by Unisphere Research on behalf of Application Security Inc., the survey questioned 214 Sybase administrators belonging to the International Sybase User Group (ISUG) about their database security practices. The prevalent theme running throughout the survey was that most organizations lacked controls to keep database information protected across the enterprise

Mobile Security

Researchers have identified a second large batch of apps in the Android Market that have been infected with the DroidDream malware, estimating that upwards of 30,000 users have downloaded at least one of the more than 30 infected apps. Google has removed the apps from the market.
Lookout Security reports that Google has removed 34 Android apps from its Market that were infected with malicious code. Lookout estimates that the number of potential victims is between 30,000 and 120,000. Some of the malware samples are modified versions of apps that have been available on the Market for quite some time. Without the knowledge of the app developers, criminals added malicious code to the apps and resubmitted the modified versions to the Market. The apps are infected with Droid Dream Light (DDLight), a variant of the DroidDream malware which was injected into more than 50 apps in March 2011.
Top 10 mobile controls and design principles
ElcomSoft Breaks iPhone iOS4 Encryption  [www.brightsideofnews.com]
The saying that ‘nothing is unbreakable’ repeated for one more time as forensic experts from ElcomSoft managed to break the hardware encryption Apple introduced with the iOS 4.
As a reminder, with Apple’s iPhone 3GS the company introduced a hardware encryption chip. Following the release of iOS 4, Apple brought Data Protection feature, a 256-bit hardware encryption for all the devices featuring the chip. This is also one of reasons why millions of users complained their iPhone 3GS slowed down to a crawl following the iOS 4 update.
There is a great free Android app called Privacy Inspector which scans your apps to find out what they are doing with your phone’s information.
Most of this sort of info is collected and sold to advertisers.
What a stupid phishing site.
This site goes to great lengths to make sure you double-check that the URL you’re on is accounts.craigslist.org.
And it isn’t.
It’s been about six months since I reported a vulnerability in the Android mobile platform that allowed the unprompted installation of arbitrary applications with arbitrary permissions on a victim’s device. While the vulnerability has long been fixed on Android handsets around the world, I’ve yet to write up any technical details about it, and it’s unlikely you’ve heard of it unless you were present at our ShmooCon presentation earlier this year. So without further ado, let’s dive into “When Angry Birds attack: Android edition.”
Project is hosted on github: https://github.com/wuntee/androidAuditTools
When taking the SANS reverse engineering malware class, the two analysis techniques taught are dynamic and static. These concepts/techniques are directly applicable to any sort of reverse engineering. When I am assessing, or pen-testing an application I usually separate my thought process into one of those two buckets. During dynamic analysis of a mobile device it becomes very difficult to understand whats going on in the operating system due to the lack of automated tools; there are no tools that can easily hook into the kernel processes that tell you key information like network connections, file writes, etc.
The Guardian Project – Open-Source Mobile Security  [guardianproject.info]
Android Security User Guide
Introduction
This document is meant to serve as a basic How-To Guide for customizing your Guardian experience – from rooting your device via recommended guides to using the suite of specific available applications. There’s a reason we maintain this as a Wiki – should you fail to find the answer to your question here, don’t hesitate to contribute or comment! The following channels can be quite helpful as well for Q&A:
Confidential communications tapped by default
Internet phones sold by Cisco Systems ship with a weakness that allows them to be turned into remote bugging devices that intercept confidential communications in a fashion similar to so many Hollywood spy movies, SC Magazine reported.

Cloud Security

Whats in Amazon’s buckets?  [www.digininja.org]
While catching up on some old Hak5 episodes I found the piece on Amazon’s S3 storage. If you don’t know what S3 is then I recommend going and watching the episode, it gives a good introduction and was all I’d had before starting this project. The thing that caught my eye, and Darren’s, was when Jason mentioned that each bucket has to have a unique name across the whole of the S3 system, as soon as I heard that I was thinking lets bruteforce some bucket names.
Developing the Cloud (PDF)  [www.cloudconsulting.ie]
The touted cost savings associated with cloud services didn’t pan out for Ernie Neuman, not because the savings weren’t real, but because the use of the service got out of hand.
When he worked in IT for the Cole & Weber advertising firm in Seattle two and a half years ago, Neuman enlisted cloud services from a provider called Tier3, but had to bail because the costs quickly overran the budget. He was a victim of what he calls cloud sprawl — the uncontrolled growth of virtual servers as developers set them up at will, then abandoned them to work on other servers without shutting down the servers they no longer needed
Cloud computing is more secure than on-premise solutions, say its fans
Cloud computing may be the hottest thing in corporate computing right now, but two IT disasters – at Amazon and Sony – beg the question: Is cloud computing ready for primetime business?
It’s a nightmare moment. You are under pressure – to meet customer orders, finish a project, execute a deal – and nothing. Your computers, servers or network are down. If you are lucky, a few nail biting hours and a reboot or three later, you and your IT team have restored services.
But what if your IT infrastructure goes down and there’s nothing you can do because your computing power sits in the cloud, provided over the internet by another company? When a key part of Amazon’s EC2 cloud service collapsed, many of the firm’s customers were reduced to publishing apologies on their websites, and click ‘refresh’ on Amazon’s service health dashboard.
The cloud computing research team at the National Institute of Standards and Technology (NIST) is requesting public comments on a draft of its most complete guide to cloud computing to date.
NIST Cloud Computing Synopsis and Recommendations (Special Publication 800-146) explains cloud computing technology in plain terms and provides practical information for information technology decision makers interested in moving into the cloud. Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources-for example networks, servers, storage, applications and services-that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Privacy / Censorship

Consumer Watchdog, an advocacy group largely focused in recent years on Google’s privacy practices, has called on a congressional investigation into the Internet giant’s ‘cozy’ relationship with U.S. President Barack Obama’s administration.
In a letter sent Monday, Consumer Watchdog asked Representative Darrell Issa, the new chairman of the House Oversight and Government Reform Committee, to investigate the relationship between Google and several government agencies.
Facebook now own publishing rights to your personal photos unless you change a setting  [privacycouncil.org]
If you are a major Facebook user you are probably a little concerned about privacy issues regarding photos, etc. You may or may have not of heard of the recent controversy regarding Facebook owning publishing rights to your personal photos unless you change a setting. Of course it should be easy just to go in and click whatever you need to protect them but is it really safe and worth it?
When the government gathers or analyzes personal information, many people say they’re not worried. ‘I’ve got nothing to hide,’ they declare. ‘Only if you’re doing something wrong should you worry, and then you don’t deserve to keep it private.’
Blippy’s experiment of broadcasting credit card and online purchases across social networks is coming to an end, according to a report.
The Palo Alto company, which was backed by the likes of Twitter co-founder Evan Williams and at one time valued at more than $46 million, is shutting down its social network, which also shared purchases to Twitter and Facebook, according to the website TechCrunch.
The wife of an Australian security expert has been targeted by another security expert in a Facebook privacy vulnerability test demonstrated at a security conference in Queensland.
The privacy vulnerability, which can affect all Facebook users if a hacker has enough time, allows for privacy-protected photos to be accessed without being the user’s ‘friend’.
Dropbox, the wildly popular online storage system, deceived users about the security and encryption of its services, putting it at a competitive advantage, according to an FTC complaint filed Thursday by a prominent security researcher.
The FTC complaint charges Dropbox (.pdf) with telling users that their files were totally encrypted and even Dropbox employees could not see the contents of the file. Ph.D. student Christopher Soghoian published data last month showing that Dropbox could indeed see the contents of files, putting users at risk of government searches, rogue Dropbox employees, and even companies trying to bring mass copyright-infringement suits.
Cryptographic side channel attacks usually leverage state changes on the system to get additional sources of information than can lead to shortcuts for breaking the cipher. Cache attacks for example, exploit the inter-process leakage of memory access patterns. We sure won’t be elaborating more on this from this blog. Concept to grasp here: cache hit or miss events can be useful, and not only for Cryptanalysis.
Privacy-wise, any additional sources of information can come in handy for tracking purposes (as we’ve seen before). Third party cookies help advertising companies to hinder our ability to remain untraced while skipping from one website to another
This is bad news for a small business that is a start-up and has under 300 fans on Facebook. Why? We have to consistently “start all over again” to get the message out about our Internet security and privacy service! As par for the course we did not receive any message from Facebook regarding the removal and disposal of our fan page.
Confidential communications tapped by default
Internet phones sold by Cisco Systems ship with a weakness that allows them to be turned into remote bugging devices that intercept confidential communications in a fashion similar to so many Hollywood spy movies, SC Magazine reported.
Texas has become the first state to ban intrusive airport security pat downs.
The bill, passed late last night, aims to make touching travellers in an ‘inappropriate’ way during searches a criminal offence.
The measure makes it illegal for anyone conducting pat-downs to touch ‘the anus, sexual organ, buttocks, or breast of another person’ including through clothing.

General

Hello, I’am Efim Bushmanov a freelance researcher and here is my project files on skype research.
While ‘Wall Street Journal’ makes politics and skype today’s trend, i want to publish my research on this. My aim is to make skype open source. And find friends who can spend many hours for completely reverse it.
JavaScript PC Emulator  [bellard.org]
Have you ever been connecting to a new wireless network and seen the following pop-up balloon?
no internet accessWhenever I connect to a WiFi network which requires in-browser authentication, such as university networks and hotel access points, Windows somehow magically knows. Windows also knows when your internet connection isn’t working, and can differentiate between having local LAN access, no network access at all, or full internet access. But how?
This is a pretty scary criminal tactic from Turkey. Burglars dress up as doctors, and ring doorbells handing out pills under some pretense or another. They’re actually powerful sedatives, and when people take them they pass out, and the burglars can ransack the house.
The Defensive Information Sharing Program (DISP) will offer governments entities at the national level who are part of both the Government Security Program (GSP) and Security Cooperation Program (SCP) with technical information on vulnerabilities that are being updated in our products. We will provide this information after our exhaustive investigative & remediation cycle is completed to ensure that DISP members are receiving the most accurate information as we know it. This process varies from issue to issue due to the complex nature of vulnerabilities. However, this process is always complete just prior to our security update release cycles. DISP members will receive this information in this window.
The Critical Infrastructure Partner Program (CIPP) will provide valuable insights on security policy, including strategies, approaches to help aid the protection efforts for critical infrastructures.
A man’s laptop is stolen, but he’s able to track it remotely and with the help of social media, recover it. (NSFW language.)

Security FAIL

This is a follow-up to my previous blogpost on this topic.
In February 2011 it showed trivial to create a database containing ALL ~35.000.000 Google Profiles without Google throttling, blocking, CAPTCHAing or otherwise make more difficult mass-downloading attempts. It took only 1 month to retrieve the data, convert it to SQL using spidermonkey and some custom Javascript code, and import it into a database. The database contains Twitter conversations (also stored in the OZ_initData variable) , person names, aliases/nicknames, multiple past educations (institute, study, start/end date), multiple past work experiences (employer, function, start/end date), links to Picasa photoalbums, …. — and in ~15.000.000 cases, also the username and therefore @gmail.com address. In summary: 1 month + 1 connection = 1 database containing 35.000.000 Google Profiles.
UPDATE 2011-05-23 #1: I’m currently writing a scientific paper about the topic discussed below. The activities are performed as part of my research on anonymity/privacy in the System & Network Engineering research group at the University of Amsterdam. A tweet on May 20th 2011 by Mikko Hypponen, as described here, urged me to post a bit prematurely. Google has been informed.
Apple’s Mac App Store Puts Users At Risk  [security.thejoshmeister.com]
Users of Apple Inc.’s Mac App Store-a feature added to Mac OS X v10.6 Snow Leopard and built into the upcoming v10.7 Lion operating system-may be putting their computer’s security at risk.
Third-party Web browser maker Opera has released version 11.11 of its software, which fixes a ‘critical’ security issue. Mac users who have downloaded Opera through the App Store may find themselves using a copy of Opera that is now two versions old, 11.01, which was released back in March and is vulnerable to the security bug patched in 11.11
It seems that companies are losing our data left and right, making it difficult for consumers to protect their identity. Most web site logins consist of nothing more than a username/password combination, and many users use the same password across multiple sites due to the sheer number of places that require a login. It’s a difficult problem to solve, but we should be coming up with ways to increase the security of websites. That’s why it’s shocking to see Red Robin, a large burger chain in the United States and Canada, use the customer’s phone number as the password to access their “Red Royalty” rewards program.
McDonalds payment security camera open to the internet  [yfrog.com]
Security camera pointing at a playground in the US open to the internet  [yfrog.com]
One of the keys to running a successful test of a TSA agent’s ability to detect a bomb in a traveler’s suitcase is to give the heads-up to the authorities that a drill is being run. That way, when – or rather if – the screener finds the device in question, their call to the police won’t have the cops drawing their guns in the middle of an airport.
And yet, that’s exactly what happened last week at the Minneapolis-St. Paul International Airport.
Compromised information used to verify user IDs
In yet another embarrassing PSN faux pas, Sony has had to take down its mandatory password reset page.
Some bright spark decided that the password could be reset by using only your PSN account email and date of birth to verify your identity – but both those details were compromised in the great PSN hack of April 2011.

Funny

Tech Support  [xkcd.com]
Lateness  [www.dilbert.com]
Sony BMG T-shirt  [www.f-secure.com]
Age verification  [i.imgur.com]
Voting machines  [xkcd.com]
Yoda Squirrel  [izkyoot.tumblr.com]
Firewalls  [dilbert.com]
Chewbacca Noodles  [noms.icanhascheezburger.com]
ISC2 On Ethics  [www.liquidmatrix.org]