Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

ISIL DEFACEMENTS EXPLOITING WORDPRESS VULNERABILITIES

April 7, 2015, 2:26 pm
$
0
0
Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites. Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems.

more here.........http://www.ic3.gov/media/2015/150407-1.aspx
Search

keyserver-elasticsearch

April 7, 2015, 2:40 pm
$
0
0
This is the documentation for https://keyserver-elasticsearch.daylightpirates.org/

It is an elasticsearch node that contains a recent dump of the SKS keyserver pool database (I maintain a keyserver in the pool). This pool is what is GPG uses by default to fetch public keys when using gpg --recv-key. The purpose of this elasticsearch project is to let people do data analysis on the keys in the pool.

more here.......https://github.com/diafygi/keyserver-elasticsearch

[CVE-2015-0779]: Novell ZenWorks Configuration Management remote code execution

April 7, 2015, 2:45 pm
$
0
0 
I've found a reported an unrestricted file upload vulnerability in
Novell ZenWorks Configuration Management which can be abused to
achieve remote code execution.

The full advisory text is below, and can also be obtained from my repo
[1]. A Metasploit module has been submitted and should hopefully be
accepted soon [2].

Regards,
Pedro Ribeiro

Remote code execution in Novell ZENworks Configuration Management 11.3.1
Discovered by Pedro Ribeiro (pedrib () gmail com), Agile Information Security
=================================================================================
Disclosure: 07/04/2015 / Last updated: 07/04/2015

Background on the affected product:
"Automate and accelerate your Windows 7 migration
Microsoft estimates that it can take more than 20 hours to migrate a
single machine to Windows 7. Novell ZENworks Configuration Management
is ready to dramatically accelerate and automate every aspect of your
Windows 7 migration efforts.

Boost user productivity
Use Novell ZENworks Configuration Management to make sure users always
have access to the resources they need regardless of where they work
or what devices they use.

Eliminate IT effort
Automatically enforce policies and dynamically manage resources with
identity-based management of users as well as devices.

Expand your freedom to choose
Manage the lifecycles of all your current and future assets, with full
support for Windows and Linux systems, Novell eDirectory, Active
Directory, and more.

Simplify deployment with virtual appliances
Slash deployment times with a convenient virtual appliance deployment option.

Enjoy a truly unified solution
Centralize the management of all your devices into a single, unified
and easy-to-use web-based ZENworks console—called ZENworks Control
Center."

This vulnerability is present in ZENworks Configuration Management
(ZCM) which is part of the ZENworks Suite.
A blast from the past? This is a similar vulnerability to ZDI-10-078 /
OSVDB-63412, but it abuses a different parameter of the same servlet.
However this time Novell:
- Did not bother issuing a security advisory to their customers.
- Did not credit me even though I did responsible disclosure.
- Refused to provide a CVE number for months.
- Did not update their ZENworks Suite Trial software with the fix (you
can download it now from their site, install and test the PoC /
Metasploit module).
- Does not list the fix in the ZCM 11.3.2 update information
(https://www.novell.com/support/kb/doc.php?id=7015776).


Technical details:
Vulnerability: Remote code execution via file upload and directory traversal
CVE-2015-0779
Constraints: none; no authentication or any other information needed
Affected versions: ZENworks Configuration Management 11.3.1 and below

POST /zenworks/UploadServlet?uid=../../../opt/novell/zenworks/share/tomcat/webapps/&filename=payload.war
<WAR file payload in the body>

The WAR file will be automatically deployed to the server (on certain
Windows and Linux installations the path can be "../webapps/"). A
Metasploit module that exploits this vulnerability has been released.


Fix:
Upgrade to version ZENworks Configuration Management 11.3.2.


[1]: https://github.com/pedrib/PoC/blob/master/generic/zenworks_zcm_rce.txt
[2]: https://github.com/rapid7/metasploit-framework/pull/5096

A bug in the Sundown and Redcarpet markdown parsers may lead to XSS

April 7, 2015, 8:00 pm
$
0
0
In early February 2015, I reported an XSS vulnerability in HackerOne itself. After some investigation, we determined that the vulnerability was due to a bug in version 3.2.2 of the Redcarpet markdown parser … which was due to a bug in the autolink feature in version 1.16.0 of the Sundown markdown parser that Redcarpet was based off of.

more here..........http://danlec.com/blog/bug-in-sundown-and-redcarpet

Slides Slides and More Slides From SyScan'2015 & CanSecWest 2015

April 8, 2015, 1:29 am

Python script today to extract attachments from emails.

April 8, 2015, 1:38 am
$
0
0
I wasn’t going to write a blog post on this, but figured I would go ahead and share it anyway.

I often find myself searching VirusTotal for tag:email and checking out the various phishing emails that get posted to VT.

Well, today I had some of my Yara rules trigger on some various domains that I track in the To: line.

So I downloaded them and then I am left trying to pull out the attachments and decode them so I can perform analysis. That’s when I saw the email module for Python and started playing around with it.

more here.........https://sysforensics.org/2015/04/extract-attachments-extachment.html

Drive-by-login attack: the end of safe web

April 8, 2015, 6:04 am
$
0
0
Information security industry is familiar with drive-by-download attacks since a dozen of years already. According to Comodo “a 'drive-by-download' attack is a malware delivery technique that is triggered simply because the user visited a website”. Updated software, installed antivirus and basic knowledge of computer security can prevent 95% of drive-by-download attacks today. Information security industry is evolving everyday, bringing new products and solutions aimed to stop known cyberattacks. Obviously, at the same time hackers are creating new attacking techniques and vectors that would be simple and efficient to use. In this blog post, we are going to share some interesting facts about a new vector of drive-by-download attack that we called ‘drive-by-login’ here.......https://www.htbridge.com/blog/drive_by_login_attack_the_end_of_safe_web.html

A flawed ransomware encryptor

April 8, 2015, 6:07 am
$
0
0
In the middle of last year, my colleagues published a blogpost about a new generation of ransomware programs based on encryptor Trojans, and used the example of the Onion family (also known as CTB-Locker) to analyze how these programs work.

Last autumn, we discovered the first sample of an interesting new encryptor, TorLocker (this is the original name given by the creator); later on, TorLocker was used to launch an attack on Japanese users. When it was discovered on 24 October, 2014, the proactive components in Kaspersky Lab's products already detected this piece of malware; later on, it was assigned the verdict 'Trojan-Ransom.Win32.Scraper'.

more here.......https://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/
Search

Next Generation Dynamic Analysis with PANDA

April 8, 2015, 9:00 am
$
0
0
PANDA is a platform for architecture-neutral dynamic analysis [1] built on top of QEMU system emulator, which makes it feasible to access all code executing in the quest and all data being manipulated in the guest virtual machine. PANDA supports the same architectures as Qemu, so every instruction set can be executed in LLVM IR.

PANDA (Platform for Architecture-Neutral Dynamic Analysis) offers a number of features that can be effectively used to analyze software here........https://www.proteansec.com/linux/next-generation-dynamic-analysis-with-panda/

Google purges bad extensions from Chrome

April 8, 2015, 9:02 am

Weakforced

April 8, 2015, 9:03 am
$
0
0
The goal of 'wforced' is to detect brute forcing of passwords across many servers, services and instances. In order to support the real world, brute force detection policy can be tailored to deal with "bulk, but legitimate" users of your service, as well as botnet-wide slowscans of passwords.

more here.......https://github.com/ahupowerdns/weakforced

White Paper: An Emerging US (and World) Threat: Cities Wide Open to Cyber Attacks

April 8, 2015, 9:05 am
$
0
0
Abstract
Cities around the world are becoming increasingly smart, which creates huge attack
surfaces for potential cyber attacks.
In this paper, IOActive Labs CTO Cesar Cerrudo provides an overview of current
cyber security problems affecting cities as well real threats and possible cyber
attacks that could have a huge impact on cities.
Cities must take defensive steps now, and Cesar offers recommendations to help
them get started.

more here.........http://www.ioactive.com/pdfs/IOActive_HackingCitiesPaper_CesarCerrudo.pdf

Secure PGP Key Sync - A Proposal (cont’d)

April 8, 2015, 9:07 am
$
0
0
This post is a continuation of a previous post on encrypted sync of a user’s private PGP key. In the previous post we discussed that in today’s multi screen world it is mandatory to be able to read and write encrypted messages on several devices at once. In this context we proposed a specification for encrypted key synchronization. This post will once again highlight this topic by introducing a new simplified version of the specification here.........https://blog.whiteout.io/2015/04/08/secure-pgp-key-sync-a-proposal-contd/

Analysis of KRIPTOVOR: Infostealer+Ransomware

April 8, 2015, 9:49 am
$
0
0
KRIPTOVOR, from the Russian word ‘kripto’ which means crypto and ‘vor’ which means thief, is what we named this malware family due to its Russian stomping grounds and the malware’s behavior. FireEye Labs has collected several samples of this malware (see the Appendix), which primarily targets Russian businesses, or any international companies that do business in Russia.

more here........https://www.fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html

Fidelis Threat Advisory #1015: Ratting on AlienSpy

April 8, 2015, 9:52 am
$
0
0
This report is a comprehensive description of AlienSpy, a remote access trojan (RAT) with significant capabilities that is currently being used in global phishing campaigns against consumers as well as enterprises. Our goal with this paper is to provide detailed analysis of its capabilities, tie it to previous generations of RATs that have been observed over the course of many years and provide observations from recent encounters with the RAT. Further, we intend to support the broader research community with a Yara rule developed as a result of our research as well a rich set of IOCs from campaigns that are currently operational, extending the body of knowledge around this RAT.

more here..........http://www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf
Search

Paper: THE ROLE OF OFFENSIVE CYBER OPERATIONS IN NATO’S COLLECTIVE DEFENCE

April 8, 2015, 9:58 am
$
0
0
New military technologies are destabilising. Computers used for attack are
one such technology. NATO has made considerable progress in its efforts to
integrate cybersecurity into its planning processes, but while it may have gone as
far as the political environment allows, it needs to do more.

read more here........https://ccdcoe.org/sites/default/files/multimedia/pdf/TP_08_2015.pdf

The 10 Most Common Application Attacks in Action

April 8, 2015, 10:00 am
$
0
0
Nowadays, application development is moving more and more onto the Web. The Web hosts entire productivity suites such as Google Docs, calculators, email, storage, maps, weather and news — everything we need in our daily lives. Our mobile phones are useless without the Internet since nearly all mobile applications connect to the cloud, storing our pictures, usernames and passwords and private information. Even our home devices are now connecting to the Web, with Internet of Things platforms such as Wink that allow users to dim their house lights right from their mobile phone.

The application layer is the hardest to defend. The vulnerabilities encountered here often rely on complex user input scenarios that are hard to define with an intrusion detection signature. This layer is also the most accessible and the most exposed to the outside world. For the application to function, it must be accessible over Port 80 (HTTP) or Port 443 (HTTPS).

more here.........http://securityintelligence.com/the-10-most-common-application-attacks-in-action/#.VSVc9_nF-So

Open redirect in rfc6749 aka 'The OAuth 2.0 Authorization Framework'

April 8, 2015, 10:05 am
$
0
0
Several months ago I did realize that if you want to implement an OAuth Authorization Server and  follow verbatim the OAuth core spec you might end up having an Open Redirect.
Now there is still some debate about this class of vulnerability since often they are relatively benign but not always (as we can see later).
Despite all at that point I notified the OAuth working group. There was some longish discussion but eventually (almost) all in the list agreed that this was somehow an issue (no where near the end of the world :)).

more here..........http://intothesymmetry.blogspot.ch/2015/04/open-redirect-in-rfc6749-aka-oauth-20.html

MS14-068 (Windows Kerberos Could Allow Elevation of Privilege) Background- Adaptive Threat Division

April 8, 2015, 10:44 am
$
0
0
On a recent assessment, we found a Domain Controller that was vulnerable to the infamous MS14-068 exploit. While trying to get the exploit working properly, we ran into some random issues that we needed to work through. I wanted to document the process we used for successful exploitation, as well as the fixes we developed along the way here.........http://www.verisgroup.com/2015/04/08/ms14-068-background/


Dissecting Turla Rootkit Malware Using Dynamic Analysis

April 8, 2015, 12:21 pm
$
0
0
Many of today’s advanced persistent threats have been climbing up the ladder - quite literally: Instead of only using user-mode components, APTs more and more frequently include components that are running as part of the operating system kernel.

These kernel components run with the same, or even higher, privileges than most security solutions, and are thus outside the reach of traditional layers of protection. At the same time, running in the context of the kernel also evades scrutiny from security analysts as well as traditional analysis sandboxes, as we described in a previous blog post.

In this post, we want to dive deeper into one specific family containing a kernel component: Turla APT. We summarize some of the tricks the malware authors use to bypass security mechanisms present in the Windows operating system kernel. These tricks have been studied by security experts previously [1, 2], and we show how Lastline’s high-resolution sandbox is able to track this activity fully automatically to detect this threat and protect users.

more here..........http://labs.lastline.com/dissecting-turla-rootkit-malware-using-dynamic-analysis
Viewing all 8064 articles
Browse latest View live
Search