Android Installer Hijacking Bug Used as Lure for Malware

April 7, 2015, 1:33 am

≪ Previous: Writing Hacking Tools with Python, Part 1

Mobile users became alarmed after the discovery of an Android bug that was dubbed as the “Android Installer Hijacking vulnerability.” This flaw can allow cybercriminals to replace or modify legitimate apps with malicious versions that can steal information. Given the high profile nature of this discovery, we decided to search for threats that might exploit this vulnerability.

more here..........http://blog.trendmicro.com/trendlabs-security-intelligence/android-installer-hijacking-bug-used-as-lure-for-malware/

↧

Paper: Pointer Analysis

April 7, 2015, 1:36 am

≫ Next: Operation SMN – WInnti Update

≪ Previous: Android Installer Hijacking Bug Used as Lure for Malware

Abstract
Pointer analysis is a fundamental static program analysis, with a rich
literature and wide applications. The goal of pointer analysis is to compute
an approximation of the set of program objects that a pointer
variable or expression can refer to.
We present an introduction and survey of pointer analysis techniques,
with an emphasis on distilling the essence of common analysis
algorithms. To this end, we focus on a declarative presentation of a common
core of pointer analyses: algorithms are modeled as configurable,
yet easy-to-follow, logical specifications. The specifications serve as a
starting point for a broader discussion of the literature, as independent
threads spun from the declarative model.

more here............http://yanniss.github.io/points-to-tutorial15.pdf

↧

Operation SMN – WInnti Update

April 7, 2015, 1:38 am

≫ Next: How to use Docker Compose to run complex multi container apps on your Raspberry Pi

≪ Previous: Paper: Pointer Analysis

Last October, Novetta led the cyber initiative Operation SMN with partners in the cyber security industry to target the malware used extensively by the threat actor group Axiom. During our investigations of active Axiom compromises, we came across new versions of the Winnti malware, which differed from previously observed versions that targeted online gaming companies to steal source code and digital certificates1. Digital certificates stolen by Winnti operators have later been used in other identified attacks2.
Based on the compromises we were able to observe, we believe with high confidence that the Winnti operators were not the same actors as those who initially installed and leveraged Hikit in that environment. Instead, these operators made use of Hikit to gain access to the environment and then move laterally within that network to install Winnti as part of their own individual unique tool set.

more here...........http://www.novetta.com/2015/04/operation-smn-winnti-update/

↧

How to use Docker Compose to run complex multi container apps on your Raspberry Pi

April 7, 2015, 6:11 am

≫ Next: Wow Fed, State Agencies & 2 Private Security Firms Couldn't Even Recover Encrypted Files- Tewskbury police pay ransom to hackers holding data hostage

≪ Previous: Operation SMN – WInnti Update

In this blog post we gonna walk you through the different steps that are necessary to get you started with Docker Compose and show how to use it.

To demonstrate the benefits of Docker Compose we are going to create a simple Node.js “Hello World” application which will run on three Docker Node.js containers. HTTP requests will be distributed to these Node.js nodes by an HAProxy instance running on another Docker container.

more here.........http://blog.hypriot.com/post/docker-compose-nodejs-haproxy/

↧

Wow Fed, State Agencies & 2 Private Security Firms Couldn't Even Recover Encrypted Files- Tewskbury police pay ransom to hackers holding data hostage

April 7, 2015, 6:16 am

≫ Next: This is a great idea IMO. All governments should be doing this- "Japan tries to make password security sexy by resorting to manga tropes"

≪ Previous: How to use Docker Compose to run complex multi container apps on your Raspberry Pi

Tewksbury police paid a ransom to hackers who held the department's data hostage
more here........http://www.whdh.com/story/28736428/tewskbury-police-pay-ransom-to-hackers-holding-website-hostage

↧

This is a great idea IMO. All governments should be doing this- "Japan tries to make password security sexy by resorting to manga tropes"

April 7, 2015, 6:27 am

≫ Next: WHAT'S NEUTRINO EK BEEN UP TO LATELY?

≪ Previous: Wow Fed, State Agencies & 2 Private Security Firms Couldn't Even Recover Encrypted Files- Tewskbury police pay ransom to hackers holding data hostage

Cereal boxes have proven how effective cartoon characters can be in communicating with the young, and Japan's government is also getting in on the act by recruiting a set of typical manga characters to be its latest spokespeople.

more here..........http://www.theverge.com/2015/4/7/8359915/japan-manga-tropes-password-security

↧

WHAT'S NEUTRINO EK BEEN UP TO LATELY?

April 7, 2015, 7:35 am

≫ Next: Deviare Hooking Engine is Open Source and Deviare In-Proc Supports .NET Hooking

≪ Previous: This is a great idea IMO. All governments should be doing this- "Japan tries to make password security sexy by resorting to manga tropes"

PCAP AND MALWARE:

PCAP 1 of 4: 2015-03-31-Neutrino-EK-traffic.pcap
PCAP 2 of 4: 2015-03-31-malware-payload-analysis.pcap
PCAP 3 of 4: 2015-04-06-Neutrino-EK-traffic.pcap
PCAP 4 of 4: 2015-04-06-malware-payload-analysis.pcap

ZIP file 1 of 2: 2015-03-31-Neutrino-EK-malware.zip
ZIP file 1 of 2: 2015-04-06-Neutrino-EK-malware.zip

more here.........http://malware-traffic-analysis.net/2015/04/06/index.html

Embedded image permalink

↧

Deviare Hooking Engine is Open Source and Deviare In-Proc Supports .NET Hooking

April 7, 2015, 7:40 am

≫ Next: A Hacker’s-Eye View of the Internet of Things

≪ Previous: WHAT'S NEUTRINO EK BEEN UP TO LATELY?

Deviare is a professional hooking engine for instrumenting arbitrary Win32 functions, COM objects, and functions which symbols are located in program databases (PDBs). It can intercept unmanaged code in 32-bit and 64-bit applications. It is implemented as a COM component, so it can be integrated with all the programming languages which support COM, such as C/C++, VB, C#, Delphi, and Python.

Several Fortune 500 companies are using Deviare technology for application virtualization, packaging, and troubleshooting, and for computer security. Computer science researchers are also using Deviare to conduct malware and reverse engineering studies. Our blog articles contain a vast quantity of code samples to get you started easily.

more here........http://blog.nektra.com/main/2015/04/07/deviare-hooking-engine-is-open-source-and-deviare-in-proc-supports-net-hooking/

and here..........https://github.com/nektra/deviare2

↧

A Hacker’s-Eye View of the Internet of Things

April 7, 2015, 7:50 am

≫ Next: Paper: Securing Bitcoin wallets via a new DSA/ECDSA threshold signature scheme

≪ Previous: Deviare Hooking Engine is Open Source and Deviare In-Proc Supports .NET Hooking

Ever wonder what hackers think about the Internet of Things? Consider for a moment what someone with criminal intent might do with secret access to your Internet-connected garage door opener and it doesn’t take long to imagine something bad.

more here.................http://recode.net/2015/04/07/a-hackers-eye-view-of-the-internet-of-things/

↧

Paper: Securing Bitcoin wallets via a new DSA/ECDSA threshold signature scheme

April 7, 2015, 9:16 am

≫ Next: How Heartbleed could've been found

≪ Previous: A Hacker’s-Eye View of the Internet of Things

Abstract
The Bitcoin ecosystem has suffered frequent thefts and
losses affecting both businesses and individuals. Due
to the irreversibility, automation, and pseudonymity of
transactions, Bitcoin currently lacks support for the sophisticated
internal control systems deployed by modern
businesses to deter fraud.
To address this problem, we present the first threshold
signature scheme compatible with Bitcoin’s ECDSA
signatures and show how distributed Bitcoin wallets can
be built using this primitive. For businesses, we show
how our distributed wallets can be used to systematically
eliminate single points of failure at every stage of the
flow of bitcoins through the system. For individuals, we
design, implement, and evaluate a two-factor secure Bitcoin
wallet.

more here.........http://www.cs.princeton.edu/~stevenag/threshold_sigs.pdf

↧

How Heartbleed could've been found

April 7, 2015, 9:22 am

≫ Next: Facebook - bypass ads account's roles vulnerability 2015

≪ Previous: Paper: Securing Bitcoin wallets via a new DSA/ECDSA threshold signature scheme

tl;dr With a reasonably simple fuzzing setup I was able to rediscover the Heartbleed bug. This uses state-of-the-art fuzzing and memory protection technology (american fuzzy lop and Address Sanitizer), but it doesn't require any prior knowledge about specifics of the Heartbleed bug or the TLS Heartbeat extension. We can learn from this to find similar bugs in the future.

more here..........https://blog.hboeck.de/archives/868-How-Heartbleed-couldve-been-found.html

↧

Facebook - bypass ads account's roles vulnerability 2015

April 7, 2015, 10:30 am

≫ Next: BARF Project- A multiplatform open source Binary Analysis and Reverse engineering Framework

≪ Previous: How Heartbleed could've been found

I discovered a vulnerability in Facebook that allowed a normal user in ad account to get unauthorized admin access in that ad account

more here.........http://pouyadarabi.blogspot.com/2015/03/facebook-bypass-ads-account-roles.html

↧

BARF Project- A multiplatform open source Binary Analysis and Reverse engineering Framework

April 7, 2015, 10:35 am

≫ Next: Guest Diary: Xavier Mertens - Analyzing an MS Word document not detected by AV software

≪ Previous: Facebook - bypass ads account's roles vulnerability 2015

The analysis of binary code is a crucial activity in many areas of the computer sciences and software engineering disciplines ranging from software security and program analysis to reverse engineering. Manual binary analysis is a difficult and time-consuming task and there are software tools that seek to automate or assist human analysts. However, most of these tools have several technical and commercial restrictions that limit access and use by a large portion of the academic and practitioner communities. BARF is an open source binary analysis framework that aims to support a wide range of binary code analysis tasks that are common in the information security discipline. It is a scriptable platform that supports instruction lifting from multiple architectures, binary translation to an intermediate representation, an extensible framework for code analysis plugins and interoperation with external tools such as debuggers, SMT solvers and instrumentation tools. The framework is designed primarily for human-assisted analysis but it can be fully automated.

more here........https://github.com/programa-stic/barf-project

↧

Guest Diary: Xavier Mertens - Analyzing an MS Word document not detected by AV software

April 7, 2015, 11:18 am

≫ Next: Malvertising from Google advertisements via possibly compromised reseller

≪ Previous: BARF Project- A multiplatform open source Binary Analysis and Reverse engineering Framework

Like everybody, I'm receiving a lot of spam everyday but... I like it! All unsolicited received messages are stored in a dedicated folder for two purposes:

An automatic processing via my tool mime2vt (http://blog.rootshell.be/2014/12/15/automatic-mime-parts-scanning-with-virustotal/)
A manual review at regular interval
This helps me to find new types of spams or new techniques used by attackers to deliver malicious content in our mailboxes. Today, I received an interesting Word document. I'm not sure if it is a very common one but I did a small analysis here.........https://isc.sans.edu/diary/Guest+Diary%3A+Xavier+Mertens+-+Analyzing+an+MS+Word+document+not+detected+by+AV+software/19555

↧

Malvertising from Google advertisements via possibly compromised reseller

April 7, 2015, 12:27 pm

≫ Next: Security Advisory: Persistent XSS in WP-Super-Cache

≪ Previous: Guest Diary: Xavier Mertens - Analyzing an MS Word document not detected by AV software

We are currently observing a large scale malvertising campaign originating from all the Google advertisement services resold from engagelab.com. It appears as if if all of engagelab.com its advertisement & zone ID’s are currently redirecting to a domain, which in its turn is redirecting to the Nuclear Exploit Kit, indicating a possible compromise at this reseller of Google advertisement services. This Nuclear Exploit kit targets vulnerabilities in Adobe Flash, Oracle Java and Microsoft Silverlight software.

more here......http://blog.fox-it.com/2015/04/07/liveblog-malvertising-from-google-advertisements-via-possibly-compromised-reseller/

↧

Security Advisory: Persistent XSS in WP-Super-Cache

April 7, 2015, 12:29 pm

≫ Next: Dashlane Launches Inbox Scan; Identify Email Vulnerabilities in Seconds

≪ Previous: Malvertising from Google advertisements via possibly compromised reseller

Security Risk: Dangerous
Exploitation level: Very Easy/Remote
DREAD Score: 8/10
Vulnerability: Persistent XSS
Patched Version: 1.4.4

During a routine audit for our Website Firewall (WAF), we discovered a dangerous Persistent XSS vulnerability affecting the very popular WP-Super-Cache plugin (more than a million active installs according to wordpress.org). The security issue, as well as another bug-fix that was included in the issue’s original patch, are fixed in version 1.4.4.

more here..........http://blog.sucuri.net/2015/04/security-advisory-persistent-xss-in-wp-super-cache.html

↧

Dashlane Launches Inbox Scan; Identify Email Vulnerabilities in Seconds

April 7, 2015, 12:31 pm

≫ Next: Reflected Cross-Site Scripting vulnerability in asdoc generated documentation

≪ Previous: Security Advisory: Persistent XSS in WP-Super-Cache

Dashlane, the world’s leading password manager, announces Inbox Scan; a new service that scans email accounts for passwords and other private data.

more here......https://www.dashlane.com/blog/security/dashlane-launches-inbox-scan-identify-email-vulnerabilities-seconds-press-release/

↧

Reflected Cross-Site Scripting vulnerability in asdoc generated documentation

April 7, 2015, 12:48 pm

≫ Next: How the U.S. thinks Russians hacked the White House

≪ Previous: Dashlane Launches Inbox Scan; Identify Email Vulnerabilities in Seconds

------------------------------------------------------------------------
Reflected Cross-Site Scripting vulnerability in asdoc generated
documentation
------------------------------------------------------------------------
Radjnies Bhansingh, March 2014

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A reflected Cross-Site scripting vulnerability was found in Apache
Flex's asdoc generated API documentation. This issue allows attackers to
perform a wide variety of actions, such as stealing victims' session
tokens or login credentials if available, performing arbitrary actions
on their behalf but also performing arbitrary redirects to potential
malicious websites.

------------------------------------------------------------------------
Affected products
------------------------------------------------------------------------
Apache Flex reports that all versions of Apache Flex before 4.14.1 are
affected by this vulnerability.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
The Apache Flex team fixed the issue in asdoc in Apache Flex 4.14.1.
Users can also manually apply the following patch to fix this issue
manually.
https://git-wip-us.apache.org/repos/asf/flex-sdk/repo?p=flex-sdk.git;a=commitdiff;h=151c6fa1e46529acb74c1baf056d431da1db0422

Users should upgrade their version of Apache Flex and regenerate their
current documentation generated with asdoc. Please note that any local
modification to the asdoc index.html will need to be saved as they are
not reapplied by asdoc on the newly generated documentation.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20150301/reflected_cross_site_scripting_vulnerability_in_asdoc_generated_documentation.html

↧

How the U.S. thinks Russians hacked the White House

April 7, 2015, 2:14 pm

≫ Next: WORDLISTS ENJOYMENT

≪ Previous: Reflected Cross-Site Scripting vulnerability in asdoc generated documentation

Russian hackers behind the damaging cyber intrusion of the State Department in recent months used that perch to penetrate sensitive parts of the White House computer system, according to U.S. officials briefed on the investigation.

more here......http://www.cnn.com/2015/04/07/politics/how-russians-hacked-the-wh/index.html

↧

WORDLISTS ENJOYMENT

April 7, 2015, 2:20 pm

≫ Next: ISIL DEFACEMENTS EXPLOITING WORDPRESS VULNERABILITIES

≪ Previous: How the U.S. thinks Russians hacked the White House

Today I will write about wordlists for hash cracking. I prefer wordlists for a first run against collected hashes which I want to crack. Why? Because these wordlists are mainly build upon leaked databases with real login data from humans. And humans are tending to make the same password over and over. Even two persons which are unknown to each other might use the same password.
Also it will sort out some data before starting with brute forcing. Brute forcing takes his time and not everyone owns a really powerful GPU rig. Yes, there are also rainbow tables, I like them, too. But they are consuming some space, more than wordlists. And these days salts are getting very common, so here comes the wordlist.

more here........https://capsop.com/wordlists

↧