TLS Prober

March 24, 2015, 12:19 am

≫ Next: Exploiting Samba CVE-2015-0240 on Ubuntu 12.04 and Debian 7 32-bit

≪ Previous: Unauthorized digital certificates for several Google domains

TLS Prober is a tool for identifying the implementation in use by SSL/TLS servers. It analyses the behaviour of a server by sending a range of probes then comparing the responses with a database of known signatures. Key features include:

Requires no knowledge of the server configuration.

Does not rely on the supported cipher suites (since administrators often change those).

Successfully identifies openssl, schannel, Java (JSSE), wolfSSL (previously CyaSSL), GnuTLS, MatrixSSL, mbedTLS (previously PolarSSL).

Supports both pure SSL/TLS protocols like HTTPS and those that use STARTTLS such as SMTP and POP3.

Reslient against differences in the build options used by a given server.

Extensible - you can easily record the signatures of additional implementations.

more here.......https://github.com/WestpointLtd/tls_prober

↧

Exploiting Samba CVE-2015-0240 on Ubuntu 12.04 and Debian 7 32-bit

March 24, 2015, 2:15 am

≫ Next: Simple source code level tricks that will make reverse engineering harder

≪ Previous: TLS Prober

It was found that Ubuntu 12.04 32-bit and Debian 7 Samba binaries contained a stack layout that was suitable for exploiting the recent _netr_ServerPasswordSet bug. I was able to develop a reliable exploit that grants pre-authenticated remote root against both systems here.....https://www.nccgroup.trust/en/blog/2015/03/exploiting-samba-cve-2015-0240-on-ubuntu-1204-and-debian-7-32-bit/

↧

Simple source code level tricks that will make reverse engineering harder

March 24, 2015, 3:11 am

≫ Next: Paper: Eclipse Attacks on Bitcoin’s Peer-to-Peer Network

≪ Previous: Exploiting Samba CVE-2015-0240 on Ubuntu 12.04 and Debian 7 32-bit

Many people rely only on virtualization software when protecting their binaries which is often very bad. There's plenty of information on existing VM protections on popular reversing sites, some even offer what is pretty much a 1-click devirtualization tool.

However, whether there's existing tools for fighting your choice of VM or it's still undocumented, there's absolutely no reason why you shouldn't put in extra effort to make reverse engineering harder. I will demonstrate one very simple method to do so: emulation of binary operations on the source code level here..........http://chaplja.blogspot.com/2015/03/simple-source-code-level-tricks-that.html

↧

Paper: Eclipse Attacks on Bitcoin’s Peer-to-Peer Network

March 24, 2015, 3:12 am

≫ Next: Android Installer Hijacking Vulnerability Could Expose Android Users to Malware

≪ Previous: Simple source code level tricks that will make reverse engineering harder

Abstract
We present eclipse attacks on bitcoin’s peer-to-peer network.
Our attack allows an adversary controlling a suffi-
cient number of IP addresses to monopolize all connections
to and from a victim bitcoin node. The attacker can
then exploit the victim for attacks on bitcoin’s mining
and consensus system, including N-confirmation double
spending, selfish mining, and adversarial forks in the
blockchain. We take a detailed look at bitcoin’s peerto-peer
network, and quantify the resources involved in
our attack via probabilistic analysis, Monte Carlo simulations,
measurements and experiments with live bitcoin
nodes. Finally, we present countermeasures, inspired by
botnet architectures, that are designed to raise the bar for
eclipse attacks while preserving the openness and decentralization
of bitcoin’s current network architecture

more here.......http://eprint.iacr.org/2015/263.pdf

↧

Android Installer Hijacking Vulnerability Could Expose Android Users to Malware

March 24, 2015, 7:06 am

≫ Next: Vulnerability Patching: Learning from AVG on Doing it Right

≪ Previous: Paper: Eclipse Attacks on Bitcoin’s Peer-to-Peer Network

We discovered a widespread vulnerability in Google’s Android OS we are calling “Android Installer Hijacking,” estimated to impact 49.5 percent of all current Android users. In detail:
Android Installer Hijacking allows an attacker to modify or replace a seemingly benign Android app with malware, without user knowledge. This only affects applications downloaded from third-party app stores.
The malicious application can gain full access to a compromised device, including usernames, passwords, and sensitive data.
Palo Alto Networks worked with Google and major manufacturers such as Samsung and Amazon to inform them of the vulnerability and issue patches for their devices

more here........http://researchcenter.paloaltonetworks.com/2015/03/android-installer-hijacking-vulnerability-could-expose-android-users-to-malware/

↧

Vulnerability Patching: Learning from AVG on Doing it Right

March 24, 2015, 7:08 am

≫ Next: 100 Days of Malware

≪ Previous: Android Installer Hijacking Vulnerability Could Expose Android Users to Malware

As part of our research, we analyze the intricate relationship between Anti-Virus and Operating Systems (OS). During this process, we came across a vulnerability in AVG Internet Security 2015 build 5736 + Virus database 8919 released January 13th 2015.
The vulnerability? The affected AVG product had allocated a memory page with RWX permissions at a constant predictable address. This allocation had occurred for each created user-mode process.

more here........http://breakingmalware.com/vulnerabilities/vulnerability-patching-learning-from-avg-on-doing-it-right/

↧

100 Days of Malware

March 24, 2015, 7:09 am

≫ Next: Shadow Daemon

≪ Previous: Vulnerability Patching: Learning from AVG on Doing it Right

It's now been a little over 100 days since I started running malware samples in PANDA and making the executions publicly available. In that time, we've analyzed 10,794 pieces of malware, which generated:
10,794 record/replay logs, representing 226,163,195,948,195 instructions executed
10,794 packet captures, totaling 26GB of data and 33,968,944 packets
10,794 movies, which are interesting enough that I'll give them their own section
10,794 VirusTotal reports, indicating what level of detection they had when they were run by malrec
107 torrents, containing downloads of the above

more here.........http://moyix.blogspot.com/2015/03/100-days-of-malware.html

↧

Shadow Daemon

March 24, 2015, 7:11 am

≫ Next: usbguard

≪ Previous: 100 Days of Malware

Shadow Daemon is a collection of tools to detect, protocol and prevent attacks on web applications. Technically speaking, Shadow Daemon is a web application firewall that intercepts requests and filters out malicious parameters. It is a modular system that separates web application, analysis and interface to increase security, flexibility and expandability.

more here........https://shadowd.zecure.org/overview/introduction/

↧

usbguard

March 24, 2015, 7:13 am

≫ Next: IETF92: BGPdump2 presented at IEPG by Yasuhiro Ohara

≪ Previous: Shadow Daemon

The usbguard software framework helps to protect your computer against rogue USB devices by implementing basic whitelisting/blacklisting capabilities based on USB device attributes.

more here........https://github.com/dkopecek/usbguard

↧

IETF92: BGPdump2 presented at IEPG by Yasuhiro Ohara

March 24, 2015, 7:16 am

≫ Next: Live-Armor

≪ Previous: usbguard

At the IEPG session at IETF92, Dallas, Yasuhiro Ohara from NTT showed his BGP tool bgpdump2. This is a really sweet package which can be used to compare BGP RIB dumps.

Its using a unix ‘diff’ format notation to show how two RIB states differ, which is immediately understandable to anyone used to using the diff command.

more here...........https://blog.apnic.net/2015/03/24/ietf92-bgpdump2-presented-at-iepg-by-yasuhiro-ohara/

↧

Live-Armor

March 24, 2015, 8:20 am

≫ Next: Deobfuscation: Test O-LLVM protected code with simplification passes.

≪ Previous: IETF92: BGPdump2 presented at IEPG by Yasuhiro Ohara

This repository contains the Live-Armor Guide, a guide to building custom Linux live images for security sandboxing using tools from the Debian Live Systems project and Grsecurity.

more here.........https://github.com/fatemachine/live-armor

↧

Deobfuscation: Test O-LLVM protected code with simplification passes.

March 24, 2015, 8:54 am

≫ Next: How Miscreants Hide From Browser Forensics

≪ Previous: Live-Armor

Roughly 5 years ago during researches in Taganrog Federal University we opened a discussion, what is the easiest way to protect program against heuristic analysis? The answer was easy, compile it with O0, O1, O2 and O3, and play with Ob and so on.

The best way to do it - is to take existing compiler and modify it. Flexible and good structured LLVM already started to be de facto standard for developing multi-platform compiler with new optimization features. So in that moment we wanted to use LLVM byte code optimization modules for code replication.

more here...........http://antoxar.blogspot.com/2015/03/deobfuscation-test-o-llvm-protected.html?spref=tw

↧

How Miscreants Hide From Browser Forensics

March 24, 2015, 11:07 am

≫ Next: How I Cracked Trivia Crack

≪ Previous: Deobfuscation: Test O-LLVM protected code with simplification passes.

Scammers, intruders and other miscreants often aim to conceal their actions from forensic investigators.When analyzing an IT support scam, I interacted with the person posing as the help desk technician. He brought up a web page on my lab system to present payment form, so I'd supply my contact and credit card details.He did this in a surprising manner, designed to conceal the destination URL.

more here.........http://digital-forensics.sans.org/blog/2015/03/24/hide-from-browser-forensics

↧

How I Cracked Trivia Crack

March 24, 2015, 12:58 pm

≫ Next: Learn How to Hack an App Video Series

≪ Previous: How Miscreants Hide From Browser Forensics

Trivia Crack is a highly popular game for both web and mobile platforms which is somewhat modeled after Trivial Pursuit. It’s the latest craze in social gaming, allowing users to compete against their friends and strangers in answering questions from an array of categories. Though I’ve never been very interested in gaming, my wife has recently become a huge fan of Trivia Crack. After watching her play for a while, I decided to download it and take a closer look into how it was implemented.

I began by monitoring the web API requests made over the network while using the Android app. Very quickly, I noticed something interesting during the game’s operation.

more here........http://randywestergren.com/how-i-cracked-trivia-crack/

↧

Learn How to Hack an App Video Series

March 24, 2015, 3:58 pm

≫ Next: nginx-1.7.11 mailine version release

≪ Previous: How I Cracked Trivia Crack

Learn how mobile apps are getting attacked and what you can do about it. Jonathan Carter from Arxan shows real life examples of tools and approaches readily available in the market to hack into a mobile application. here.......https://www.arxan.com/how-to-hack-a-mobile-application/

↧

nginx-1.7.11 mailine version release

March 24, 2015, 4:02 pm

≫ Next: Hanjuan EK’s ‘March Madness’ malvertising campaign

≪ Previous: Learn How to Hack an App Video Series

Includes experimental thread pools support, proxy_request_buffering and other features here........http://nginx.org/

↧

Hanjuan EK’s ‘March Madness’ malvertising campaign

March 24, 2015, 5:33 pm

≫ Next: Cryptol (The Language of Cryptography) version 2.2.0 release

≪ Previous: nginx-1.7.11 mailine version release

The lesser known and stealthy Hanjuan Exploit Kit, which for almost two months was using a Flash Player zero-day (CVE-2015-0313) to infect unsuspecting users, has been quite active again during the past couple of weeks.

The current malvertising campaign stems from the Engage:BDR ad network and has affected several high profile sites:

nydailynews.com
metacafe.com

more here...........https://blog.malwarebytes.org/exploits-2/2015/03/hanjuan-eks-march-madness-malvertising-campaign/

↧

Cryptol (The Language of Cryptography) version 2.2.0 release

March 24, 2015, 5:41 pm

≫ Next: Former Tesla Intern Releases $60 Full Open Source Car Hacking Kit For The Masses

≪ Previous: Hanjuan EK’s ‘March Madness’ malvertising campaign

The Cryptol specification language was designed by Galois for the NSA's Trusted Systems Research Group as a public standard for specifying cryptographic algorithms. A Cryptol reference specification can serve as the formal documentation for a cryptographic module. Unlike current specification mechanisms, Cryptol is fully executable, allowing designers to experiment with their programs incrementally as their designs evolve.

more about Cryptol here......https://github.com/GaloisInc/cryptol

and the latest release info here......https://github.com/GaloisInc/cryptol/releases/tag/v2.2.0

↧

Former Tesla Intern Releases $60 Full Open Source Car Hacking Kit For The Masses

March 25, 2015, 6:13 am

≫ Next: Surgeon with a Shotgun! – Memory Forensics

≪ Previous: Cryptol (The Language of Cryptography) version 2.2.0 release

Eric Evenchick knows what it’s like to be at the mercy of modes of transport. That might be why the former Tesla intern is so keen to hack his way to gaining greater control over the vehicles he travels in. When we speak over encrypted call app RedPhone, he’s stuck in Hong Kong airport waiting for a delayed flight to Singapore, where he’ll announce the open sourcing of the CANard tool during the BlackHat Asia conference.

more here.........http://www.forbes.com/sites/thomasbrewster/2015/03/25/hack-a-car-for-60-dollars/

↧

Surgeon with a Shotgun! – Memory Forensics

March 25, 2015, 6:18 am

≫ Next: Stealing files from web servers by exploiting a popular PDF generator

≪ Previous: Former Tesla Intern Releases $60 Full Open Source Car Hacking Kit For The Masses

With the ever-increasing need for speed and accuracy for digital investigations and incident response, it is imperative that organizations are able to provide answers quickly. These organizations rely on highly skilled individuals to provide them fast answers in a crisis situation. Manually parsing evidence can take a long time when going through the repeated process of running a tool followed by analyzing the output. The manual analysis method is tedious and time consuming, especially on limited traditional hardware.

more here.......http://blog.crowdstrike.com/surgeon-with-a-shotgun-memory-forensics/

↧

Latest Images