A Short Guide to the Most Frequently Used OpenSSL Features and Commands
more here...........https://www.feistyduck.com/library/openssl-cookbook/
more here...........https://www.feistyduck.com/library/openssl-cookbook/
↧
OpenSSL CookBook
↧
Wood Island (Crypto - 150) writeup from BostonKeyParty CTF
Task:
You can try to sign messages and send them to the server, 52.0.217.48 port 60231. Sign the right message and you\'ll get the flag! Only problem---you don\'t have the signing key. I will give you this, though: sigs.txt is a file containing a bunch of signatures. I hope it helps. (P.S. Don\'t try and send the exact signatures in that file---that\'s cheating!)
more here.......https://ctfcrew.org/writeup/98
You can try to sign messages and send them to the server, 52.0.217.48 port 60231. Sign the right message and you\'ll get the flag! Only problem---you don\'t have the signing key. I will give you this, though: sigs.txt is a file containing a bunch of signatures. I hope it helps. (P.S. Don\'t try and send the exact signatures in that file---that\'s cheating!)
more here.......https://ctfcrew.org/writeup/98
↧
↧
CryptoFortress : Teerac.A (aka TorrentLocker) got a new identity
Blitz post.
I was hunting for Gootkit (pushed in a Nuclear Pack instance in France those days) but instead I got a Teerac.A
I was hunting for Gootkit (pushed in a Nuclear Pack instance in France those days) but instead I got a Teerac.A
more here.........http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html
↧
CSRF in Contact Form DB allows attacker to delete all stored form submissions (WordPress plugin)
Details
================
Software: Contact Form DB
Version: 2.8.29
Homepage: https://wordpress.org/plugins/
Advisory report: https://security.dxw.com/
CVE: CVE-2015-1874
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
Description
================
CSRF in Contact Form DB allows attacker to delete all stored form submissions
Vulnerability
================
An attacker able to convince a logged in admin user to follow a link (for instance via spearphishing) will be able to cause all records stored by this plugin to be removed.
Proof of concept
================
If a logged-in administrator user clicks the submit button on this form, all records stored by the plugin will be deleted (in a real attack the form can be made to auto-submit using Javascript).
<form action=\"http://localhost/wp-
<input name=\"all\" type=\"text\" value=\"y\">
<input name=\"delete\" type=\"text\" value=\"y\">
<input type=\"submit\">
</form>
Mitigations
================
Upgrade to version 2.8.32 or later
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2015-02-05: Discovered
2015-02-17: Reported to vendor by email
2015-02-22: Vendor responded and agreed a schedule for fix
2015-02-23: Vendor published a fix in version 2.8.32
2015-03-04: Advisory published
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
================
Software: Contact Form DB
Version: 2.8.29
Homepage: https://wordpress.org/plugins/
Advisory report: https://security.dxw.com/
CVE: CVE-2015-1874
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
Description
================
CSRF in Contact Form DB allows attacker to delete all stored form submissions
Vulnerability
================
An attacker able to convince a logged in admin user to follow a link (for instance via spearphishing) will be able to cause all records stored by this plugin to be removed.
Proof of concept
================
If a logged-in administrator user clicks the submit button on this form, all records stored by the plugin will be deleted (in a real attack the form can be made to auto-submit using Javascript).
<form action=\"http://localhost/wp-
<input name=\"all\" type=\"text\" value=\"y\">
<input name=\"delete\" type=\"text\" value=\"y\">
<input type=\"submit\">
</form>
Mitigations
================
Upgrade to version 2.8.32 or later
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2015-02-05: Discovered
2015-02-17: Reported to vendor by email
2015-02-22: Vendor responded and agreed a schedule for fix
2015-02-23: Vendor published a fix in version 2.8.32
2015-03-04: Advisory published
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
↧
USN Journal: Where have you been all my life
One of the goals of IR engagements is to locate the initial infection vector and/or patient zero. In order to determine this, timeline analysis becomes critical, as does determining when the malware was created and/or executed on a system.
This file create time may become extremely critical if you're dealing with multiple or even hundreds of systems and trying to determine when and where the malware first made its way into the environment.
But what happens when the malware has already been remediated by a Systems Administrator, deleted by an attacker, or new AV signatures are being pushed out, resulting in the malware being removed?
This file create time may become extremely critical if you're dealing with multiple or even hundreds of systems and trying to determine when and where the malware first made its way into the environment.
But what happens when the malware has already been remediated by a Systems Administrator, deleted by an attacker, or new AV signatures are being pushed out, resulting in the malware being removed?
more here........http://az4n6.blogspot.com/2015/03/usn-journal-where-have-you-been-all-my.html
↧
↧
A new breed of startups is helping hackers make millions — legally
Shashank Kumar was in seventh grade when he was introduced to computer hacking. At first he had fun breaking in and defacing web sites, something he says he now regrets, but then he learned that he can get paid for reporting the weaknesses he was exploiting. Under the handle @cyberboyIndia, he says he has earned around $30,000 in so called bug bounties, enough to pay for a good portion of his college education.
more here........http://www.theverge.com/2015/3/4/8140919/get-paid-for-hacking-bug-bounty-hackerone-synack
more here........http://www.theverge.com/2015/3/4/8140919/get-paid-for-hacking-bug-bounty-hackerone-synack
↧
Tokenization as a companion to Encryption
For the protection of sensitive data, tokenization is every bit as important as data encryption.
more here.........http://security-musings.blogspot.ca/2015/03/tokenization-as-companion-to-encryption.html
more here.........http://security-musings.blogspot.ca/2015/03/tokenization-as-companion-to-encryption.html
↧
No Wireshark? No TCPDump? No Problem!
Have you ever been on a pentest, or troubleshooting a customer issue, and the "next step" was to capture packets on a Windows host? Then you find that installing winpcap or wireshark was simply out of scope or otherwise not allowed on that SQL, Exchange, Oracle or other host? It used to be that this is when we'd recommend installing Microsoft's Netmon packet capture utility, but even then lots of IT managers would hesitate about using the "install" word in association with a critical server. Well, as they say in networking (and security as well), there's always another way, and this is that way.
more here......https://isc.sans.edu/diary/No+Wireshark%3F+No+TCPDump%3F+No+Problem%21/19409
more here......https://isc.sans.edu/diary/No+Wireshark%3F+No+TCPDump%3F+No+Problem%21/19409
↧
Computer Fraud and Abuse Act (“CFAA”) Court of Appeals (USA Vs BRIAN MATTHEW RICH) - Interesting Case As Many Laws Are Too Far Reaching IMO As It Is
Argument:
I. The CFAA does not criminalize accessing a computer by using a
shared password
A. This Court has held that the CFAA’s “unauthorized
access” element prohibits computer hacking, not mere badfaith
access
B. Interpreting the CFAA to criminalize shared-password
access would yield absurd results
C. Interpreting the CFAA to criminalize shared-password
access would render the statute void for vagueness as
applied in this case
D. As in WEC Carolina, the rule of lenity dictates a narrow
interpretation of the CFAA
Full document here..........http://www.washingtonpost.com/news/volokh-conspiracy/wp-content/uploads/sites/14/2015/03/SharedPassword.pdf
I. The CFAA does not criminalize accessing a computer by using a
shared password
A. This Court has held that the CFAA’s “unauthorized
access” element prohibits computer hacking, not mere badfaith
access
B. Interpreting the CFAA to criminalize shared-password
access would yield absurd results
C. Interpreting the CFAA to criminalize shared-password
access would render the statute void for vagueness as
applied in this case
D. As in WEC Carolina, the rule of lenity dictates a narrow
interpretation of the CFAA
Full document here..........http://www.washingtonpost.com/news/volokh-conspiracy/wp-content/uploads/sites/14/2015/03/SharedPassword.pdf
↧
↧
Thousand ways to backdoor a Windows domain (forest)
When the Kerberos elevation of privilege (CVE-2014-6324 / MS14-068) vulnerability has been made public, the remediation paragraph of following blog post made some waves:
http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx
"The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain."
Personally, I agree with this, but .... But whether this is the real solution, I'm not sure. And the same applies to compromised computers. When it has been identified that malware was able to run on the computer (e.g. scheduled scan found the malware), there is no easy way to determine with 100% certainty that there is no rootkit on the computer. Thus rebuilding the computer might be a good thing to consider. For paranoids, use a new hardware ;)
But rebuilding a single workstation and rebuilding a whole domain is not on the same complexity level. Rebuilding a domain can take weeks or months (or years, which will never happen, as the business will close before that).
There are countless of documented methods to backdoor a computer, but I have never seen a post where someone collects all the methods to backdoor a domain. In the following, I will refer to domain admin, but in reality, I mean Domain Admins, Enterprise Admins, and Schema Admins.
more here..........http://jumpespjump.blogspot.com/2015/03/thousand-ways-to-backdoor-windows.html
http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx
"The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain."
Personally, I agree with this, but .... But whether this is the real solution, I'm not sure. And the same applies to compromised computers. When it has been identified that malware was able to run on the computer (e.g. scheduled scan found the malware), there is no easy way to determine with 100% certainty that there is no rootkit on the computer. Thus rebuilding the computer might be a good thing to consider. For paranoids, use a new hardware ;)
But rebuilding a single workstation and rebuilding a whole domain is not on the same complexity level. Rebuilding a domain can take weeks or months (or years, which will never happen, as the business will close before that).
There are countless of documented methods to backdoor a computer, but I have never seen a post where someone collects all the methods to backdoor a domain. In the following, I will refer to domain admin, but in reality, I mean Domain Admins, Enterprise Admins, and Schema Admins.
more here..........http://jumpespjump.blogspot.com/2015/03/thousand-ways-to-backdoor-windows.html
↧
Domain Trusts: Why You Should Care
Red teams have been abusing Windows domain trusts for years with great success, but the topic is still underrepresented in public infosec discussions. While the community has started to talk more about Active Directory exploitation (see Carlos Perez’s talk at Derbycon ’14) I haven’t seen a huge amount of information discussing domain trusts from an offensive perspective. I have to admit, this topic was pretty murky for me when I started red teaming. This is one of the big reasons I wrote the “Trusts You Might Have Missed” post.
All of this information can get a bit dense. If you don’t come from a Windows sysadmin or formalized red team background, abusing domain trusts can seem a bit foreign. I wanted to put together a concrete, multi-step example to bring everything together. Think of this as a case study. Once you see the power of domain trust abuse from an offensive perspective, I promise you’ll be a convert.
more here........http://www.harmj0y.net/blog/redteaming/domain-trusts-why-you-should-care/
All of this information can get a bit dense. If you don’t come from a Windows sysadmin or formalized red team background, abusing domain trusts can seem a bit foreign. I wanted to put together a concrete, multi-step example to bring everything together. Think of this as a case study. Once you see the power of domain trust abuse from an offensive perspective, I promise you’ll be a convert.
more here........http://www.harmj0y.net/blog/redteaming/domain-trusts-why-you-should-care/
↧
FTC Announces New Robocall Contests to Combat Illegal Automated Calls
The Federal Trade Commission announced today that it is launching two new robocall contests challenging the public to develop a crowd-source honeypot and better analyze data from an existing honeypot. A honeypot is an information system that may be used by government, private and academic partners to lure and analyze robocalls. The challenges are part of the FTC’s long-term multi-pronged effort to combat illegal robocallers and contestants of one of the challenges will compete for $25,000 in a top prize.
more here for those interested....http://www.ftc.gov/news-events/press-releases/2015/03/ftc-announces-new-robocall-contests-combat-illegal-automated
more here for those interested....http://www.ftc.gov/news-events/press-releases/2015/03/ftc-announces-new-robocall-contests-combat-illegal-automated
↧
Exploiting CVE-2015-0311: A Use-After-Free in Adobe Flash Player
At the end of January, Adobe published the security bulletin APSA15-01 for Flash Player, which fixes a critical use-after-free vulnerability affecting Adobe Flash Player 16.0.0.287 and earlier versions. This vulnerability, identified as CVE-2015-0311, allows attackers to execute arbitrary code on vulnerable machines by enticing unsuspecting users to visit a website serving a specially crafted SWF Flash file.
The vulnerability was first discovered as a zero-day being actively exploited in the wild as part of the Angler Exploit Kit. Although the exploit code was highly obfuscated using the SecureSWF obfuscation tool, malware samples taking advantage of this vulnerability became publicly available, so I decided to dig into the underlying vulnerability in order to exploit it and write the corresponding module for Core Impact Pro and Core Insight.
- See more at: http://blog.coresecurity.com/2015/03/04/exploiting-cve-2015-0311-a-use-after-free-in-adobe-flash-player/#sthash.5t1QRjlF.dpuf
The vulnerability was first discovered as a zero-day being actively exploited in the wild as part of the Angler Exploit Kit. Although the exploit code was highly obfuscated using the SecureSWF obfuscation tool, malware samples taking advantage of this vulnerability became publicly available, so I decided to dig into the underlying vulnerability in order to exploit it and write the corresponding module for Core Impact Pro and Core Insight.
- See more at: http://blog.coresecurity.com/2015/03/04/exploiting-cve-2015-0311-a-use-after-free-in-adobe-flash-player/#sthash.5t1QRjlF.dpuf
↧
↧
Decoding ZeuS Disguised as an .RTF File
While going through emails that were reported by our internal users using Reporter, I came across a particularly nasty looking phishing email that had a .doc attachment. At first when I detonated the sample in my VM, it seemed that the attackers weaponized the attachment incorrectly. After extracting and decoding the shellcode, I discovered a familiar piece of malware that has been used for some time.
more here.......http://phishme.com/decoding-zeus-disguised-as-an-rtf-file/
more here.......http://phishme.com/decoding-zeus-disguised-as-an-rtf-file/
↧
CVE-2014-6440: Heap Overflow in VLC Transcode Module
VLC versions before 2.1.5 contain a vulnerability in the transcode module that may allow a corrupted stream to overflow buffers on the heap. With a non-malicious input, this could lead to heap corruption and a crash. However, under the right circumstances, a malicious attacker could potentially use this vulnerability to hijack program execution, and on some platforms, execute arbitrary code.
more here......http://billblough.net/blog/2015/03/04/cve-2014-6440-heap-overflow-in-vlc-transcode-module/
more here......http://billblough.net/blog/2015/03/04/cve-2014-6440-heap-overflow-in-vlc-transcode-module/
↧
Meet Casper: Yet Another Malware Likely Created by France for Surveillance
Two weeks ago, a group of cybersleuths revealed the best evidence yet that France is hacking and infecting surveillance targets—just like the NSA or the British spy agency GCHQ.
Now, researchers have discovered the existence of Casper, a stealthy tool designed to profile victims and flag persons of interest for further surveillance, according to a new report to be published on Thursday.
more here........http://motherboard.vice.com/read/meet-casper-yet-another-malware-likely-created-by-france-for-surveillance
Now, researchers have discovered the existence of Casper, a stealthy tool designed to profile victims and flag persons of interest for further surveillance, according to a new report to be published on Thursday.
more here........http://motherboard.vice.com/read/meet-casper-yet-another-malware-likely-created-by-france-for-surveillance
↧
CIRCL releases the source code of its URL Abuse software
CIRCL announces the release of the source code of its latest software URL Abuse, which is being developed as part of the “European Union anti-Phishing Initiative” (EU PI) project. This project is coordinated by Cert-Lexsi and co-funded by the Prevention of and Fight against Crime programme of the European Union.
more here........https://www.circl.lu/pub/press/20150305/
more here........https://www.circl.lu/pub/press/20150305/
↧
↧
NetTraveler (Chinese APT) RCEd Source Code
Hi to all,
I want to share with you guys this piece of code RCEd from the chinese APT known as "NetTraveler" or "TravNet". Hope this knowledge will somehow be useful and interesting to you. The code isn't very complicated nor advanced, it is basically C code with a few C++ implementations.
more here.........http://www.kernelmode.info/forum/viewtopic.php?f=13&t=3765
I want to share with you guys this piece of code RCEd from the chinese APT known as "NetTraveler" or "TravNet". Hope this knowledge will somehow be useful and interesting to you. The code isn't very complicated nor advanced, it is basically C code with a few C++ implementations.
more here.........http://www.kernelmode.info/forum/viewtopic.php?f=13&t=3765
↧
Obama criticises China's mandatory backdoor tech import rules
US prez Barack Obama has criticised China's new tech rules, urging the country to reverse the policy if it wants a business-as-usual situation with the US to continue.
As previously reported, proposed new regulations from the Chinese government would require technology firms to create backdoors and provide source code to the Chinese government before technology sales within China would be authorised.
China is also asking that tech companies adopt Chinese encryption algorithms and disclose elements of their intellectual property.
more here........http://www.theregister.co.uk/2015/03/05/obama_criticises_china_tech_rules_backdoor_terrorism/
As previously reported, proposed new regulations from the Chinese government would require technology firms to create backdoors and provide source code to the Chinese government before technology sales within China would be authorised.
China is also asking that tech companies adopt Chinese encryption algorithms and disclose elements of their intellectual property.
more here........http://www.theregister.co.uk/2015/03/05/obama_criticises_china_tech_rules_backdoor_terrorism/
↧
Another Writeup On Casper Today: Casper Malware: After Babar and Bunny, Another Espionage Cartoon
In March 2014, French newspaper Le Monde revealed that France is suspected by the Communications Security Establishment Canada (CSEC) of having developed and deployed malicious software for espionage purposes. This story was based on presentation slides leaked by Edward Snowden, which were then published by Germany’s Der Spiegel in January 2015.
more here..........http://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/
more here..........http://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/
↧