Jailbreaking, China and Playing the Racial Discrimination Card

April 9, 2015, 8:04 am

≫ Next: Quickpost: Maldocs: VBA And Pastebin

A number of people might know that not long ago I gave a talk titled “iOS 678 Security – A study in fail” at SyScan 2015. Within this talk I was exposing the really bad security track record of Apple Security since the iOS 6 jailbreak in early 2013. I showed in detail how Apple kept ignoring vital elements of the exploitation chains, which made succeeding jailbreaks easier, because they could reuse previous techniques developed by the evad3rs. I also showed how Apple repeatedly failed to fix the same vulnerabilities over and over again, which again helped a lot in the development of the iOS 7.x and iOS 8.x jailbreaks. I ended my presentation (as previously announced) with a discussion of the new phenomenon that iOS jailbreaks are coming from China since mid-2014. As part of this discussion I was comparing previous jailbreaks that were all made by western security researchers and hackers with those new Chinese ones. During that talk i exposed a number of things that the guys behind Pangu did not want to see exposed to the public so they wrote a big blogpost accusing me of racial discrimination to distract people from the presented facts.

more here........https://elevat0r.wordpress.com/2015/04/09/jailbreaking-china-and-playing-the-racial-discrimination-card/

↧

Quickpost: Maldocs: VBA And Pastebin

April 9, 2015, 8:06 am

≫ Next: SSHPsychos

≪ Previous: Jailbreaking, China and Playing the Racial Discrimination Card

Since a day or two I’m seeing yet another trick used by malware authors in their VBA macros here.......http://blog.didierstevens.com/2015/04/08/quickpost-maldocs-vba-and-pastebin/

↧

SSHPsychos

April 9, 2015, 8:55 am

≫ Next: The Banking Trojan Emotet: Detailed Analysis

≪ Previous: Quickpost: Maldocs: VBA And Pastebin

Talos has been monitoring a persistent threat for quite some time, a group we refer to as SSHPsychos or Group 93. This group is well known for creating significant amounts of scanning traffic across the Internet. more here.......http://blogs.cisco.com/security/talos/sshpsychos

Graphic Showing SSH Psychos SSH Traffic vs Rest of Internet (Green)

↧

The Banking Trojan Emotet: Detailed Analysis

April 9, 2015, 8:56 am

≫ Next: Network Solutions Webmail - A tale about chained web vulnerabilities

≪ Previous: SSHPsychos

In the summer of 2014, the company Trend Micro announced the detection of a new threat - the banking Trojan Emotet. The description indicated that the malware could steal bank account details by intercepting traffic. We call this modification version 1.

more here.......https://securelist.com/analysis/69560/the-banking-trojan-emotet-detailed-analysis/

↧

Network Solutions Webmail - A tale about chained web vulnerabilities

April 9, 2015, 9:56 am

≫ Next: How to use pdb to debug Python Burp Extension

≪ Previous: The Banking Trojan Emotet: Detailed Analysis

===============================================================================
title: Network Solutions Webmail - A tale about
chained web vulnerabilities
case id: CM-2015-01
product: Network Solutions Webmail
vulnerability type: Multiple
severity: Low to High
found: 2015-01-16
by: Cristiano Maruti (@cmaruti)
===============================================================================

[EXECUTIVE SUMMARY]

While reviewing the Network Solutions webmail, I identified various security
issues ranging from low to high severity. Some of them, chained together, could
allow an attacker to arbitrary change the password of any e-mail accounts
hosted on the service provider. All things considered – the volume of customers
managed by the company and the kind of data affected by vulnerabilities –
customer's data is put at risk and these issues must be addressed immediately.
Below a summary of the key findings:
- Weak password change mechanism
- Password complexity requirement not enforced
- Ability to reset a mailbox password to an arbitrary value
- Ability to enumerate and identify valid mailbox ID and corresponding e-mail
address
- Improper input validation (reflected XSS)
- End-user forced to execute unwanted action (CSRF)

[TECHNICAL DETAILS]

The full report with technical details about the vulnerabilities I have
identified is available at:
https://github.com/cmaruti/reports/blob/master/netsol_web_mail.pdf

[DISCLOSURE TIMELINE]

2015-01-21 Report submitted to vendor via e-mail (point of contact is
the manager of abuse and fraud.
2015-01-22 Vendor requested more info about the vulnerabilities.
2015-01-23 Vendor triaged the vulnerabilities and the new point of
contact is the VP of Security
Engineering & CSO
2015-02-26 Vendor fixed the vulnerabilities reported.
2015-04-09 Public disclosure

[SOLUTION]

Vendor addressed the vulnerabilities reported.

[REPORT URL]

https://github.com/cmaruti/reports/blob/master/netsol_web_mail.pdf

↧

How to use pdb to debug Python Burp Extension

April 9, 2015, 9:58 am

≫ Next: Beyond Superfish: a Journey on SSL MitM in the Wild

≪ Previous: Network Solutions Webmail - A tale about chained web vulnerabilities

Burp Suite Pro is a great tool for penetration testing web applications. The app is written in Java and it includes a feature called “Extender” that supplies an API for developing Java-based extensions for the tool. Extender also allows for development of tools in Python, via Jython. As with any coding effort of reasonable complexity, developing extensions without a debugger can be painful.

more here..........http://foote.pub/2015/04/08/burp-extender-python.html

↧

Beyond Superfish: a Journey on SSL MitM in the Wild

April 9, 2015, 10:01 am

≫ Next: URL Masques on App Store

≪ Previous: How to use pdb to debug Python Burp Extension

Recently Lenovo hit the news because they got caught installing adware on their laptops, namely Superfish, which, amongst other features, also perform SSL Mitm on the infected computer.

Unfortunately, Superfish is not the only one that has been caught nullifying end-to-end SSL encryption. Many other software and services are turning this "feature" into a nightmare: result is that nowadays SSL Man in the Middle is not an uncommon scenario at all.

But how widespread is it?

more here.........http://blog.mindedsecurity.com/2015/04/beyond-superfish-journey-on-ssl-mitm-in.html

↧

URL Masques on App Store

April 9, 2015, 12:47 pm

≫ Next: Apple keeps trust in Chinese CA

≪ Previous: Beyond Superfish: a Journey on SSL MitM in the Wild

Recently we blogged about iOS URL hijacking in Masque Attack II [1]. According to Apple’s “App Programming Guide for iOS”, “If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme.” [2] However, when two apps register the same URL scheme, iOS always launches the same one to handle it in our experiments using multiple iOS versions and device models. Furthermore, one app can hijack another app from handling the same URL scheme if the developer crafts the bundle id carefully.

Without fixing this imperfect design, iOS leaves this issue to app developers. There are many URL scheme conflicts among apps in Apple store. While not all of them are malicious or hijacking, they do interfere with each other and cause trouble for users. We name URL scheme conflicts in iOS apps as URL Masques. In this blog, we will study URL Masques on App Store in depth, and discuss potential attacks using them here.........https://www.fireeye.com/blog/threat-research/2015/04/url_masques_on_apps.html

↧

Apple keeps trust in Chinese CA

April 9, 2015, 12:50 pm

≫ Next: Microsoft Defends Privacy by Challenging United States Search Warrant

≪ Previous: URL Masques on App Store

Apple has kept root certificates from the China Internet Network Information Center (CNNIC) despite both Google and Mozilla revoking trust in the agency altogether.
As part of security upgrades for both of its operating systems and the root certificate for the Chinese CA remains in the trusted stores for iOS and OSX. However last month, both Google and Mozilla removed CNNIC from their browsers’ respective trust stores after an intermediate CA called MCS Holdings installed an unrestricted certificate in a device capable of doing SSL interception, and issuing certificates for several Google domains.

more here.........http://www.itsecurityguru.org/2015/04/09/apple-keeps-trust-in-chinese-ca/

↧

Microsoft Defends Privacy by Challenging United States Search Warrant

April 9, 2015, 3:42 pm

≫ Next: nsec3map v0.3 - DNSSEC Zone Enumerator

≪ Previous: Apple keeps trust in Chinese CA

Last evening, we filed our reply brief in our ongoing legal challenge to the U.S. government’s attempt to force us to turn over a customer’s email stored in our Irish data center. As we stated in our brief, we believe the law is on the side of privacy in this case.

We were gratified by the large number of organizations and individuals that filed amicus briefs in this case in December. They include leading technology and media companies, expert computer scientists, and trade associations and advocacy organizations that together represent millions of members on both sides of the Atlantic. As we said then, this case involves a broad policy issue that is important to the future of cloud computing.

more here........http://blogs.microsoft.com/on-the-issues/2015/04/09/our-legal-challenge-to-a-us-government-search-warrant/

↧

nsec3map v0.3 - DNSSEC Zone Enumerator

April 9, 2015, 5:39 pm

≫ Next: Adventures in PoSeidon genealogy: Tracking a malware family tree

≪ Previous: Microsoft Defends Privacy by Challenging United States Search Warrant

nsec3map is a DNS zone enumerator that makes use of DNSSEC NSEC or NSEC3
records. It allows to discover hosts quickly and with a minimal number
of DNS queries (usually just one query per resource record).

In NSEC mode, it can be configured to send "A" queries, which can be
useful in cases where the nameserver blocks the direct querying of NSEC
records.

In NSEC3 mode, the tool finds a domain name which is not covered
by any received NSEC3 record locally and then queries the computed name
to receive a new record of the NSEC3 chain.
Once the chain (or a part of it) is obtained, the NSEC3 hashes can be
cracked (e.g. using John the Ripper) to get the plaintext record names.
This is usually not very hard to do using a dictionary attack or even
brute force, as domain names tend to be rather short and easy to guess.
nsec3map can also accurately extrapolate the total size of the NSEC3
chain based on the hash-distance covered by a small number of already
obtained records. Furthermore, it supports an aggressive mode which can
speed up the enumeration significantly by sending multiple queries in
parallel, although this might cause the tool to send more queries than
absolutely needed.

Version 0.3 of nsec3map is capable of enumerating a high percentage ( >
99% ) of NSEC3 records even if the zone is very large (e.g. a million or
more entries) in a matter of minutes on contemporary hardware.
A few years ago we also demonstrated that we were able to crack 84% of a
total of 1.31 million NSEC3 records obtained from a real TLD zone in a
few days using common CPUs at the time.

nsec3map v0.3 has now moved to a new repository on GitHub:
https://github.com/anonion0/nsec3map

↧

Adventures in PoSeidon genealogy: Tracking a malware family tree

April 9, 2015, 5:42 pm

≫ Next: Visual Basic Script malware reportedly used in TV5 Monde intrusion

≪ Previous: nsec3map v0.3 - DNSSEC Zone Enumerator

In late March, Cisco blogged about an interesting case of Point-of-Sale (PoS) malware. Reading through their description, I couldn’t help but notice that the core exfiltration malware module named by Cisco, FindStr, is in its sixth and possibly even seventh incarnation. Could it be that there are other versions of that PoS malware which didn’t make it to be famous?

more here.......http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Adventures-in-PoSeidon-genealogy-Tracking-a-malware-family-tree/ba-p/6730758#.VSccQPnF-So

↧

Visual Basic Script malware reportedly used in TV5 Monde intrusion

April 9, 2015, 9:02 pm

≫ Next: Malware with a Fake Thumbnail Preview

≪ Previous: Adventures in PoSeidon genealogy: Tracking a malware family tree

On Thursday April 9th the French TV station TV5 Monde was reportedly knocked off the air by supporters of the Islamic State.

Information on how the attack was performed has been scarce. The only semi-technical information we have seen at the time of writing came from one of the initial news reports.

Blue Coat has no insider information on this intrusion, but we were able to find a piece of malware which, though not identical, matches many of the indicators given in the Breaking3Zero story.

more here.......https://www.bluecoat.com/security-blog/2015-04-09/visual-basic-script-malware-reportedly-used-tv5-monde-intrusion

↧

Malware with a Fake Thumbnail Preview

April 10, 2015, 2:17 am

≫ Next: Protecting ASP.NET Applications Against CSRF Attacks

≪ Previous: Visual Basic Script malware reportedly used in TV5 Monde intrusion

In this article, I will introduce how recent malware tries to trick users with fake thumbnail previews here.....http://blog.jpcert.or.jp/2015/04/malware-with-a-fake-thumbnail-preview.html

↧

Protecting ASP.NET Applications Against CSRF Attacks

April 10, 2015, 2:19 am

≫ Next: Finding Malicious Connections within Memory

≪ Previous: Malware with a Fake Thumbnail Preview

The Encrypted Token Pattern is a defence mechanism against Cross Site Request Forgery (CSRF) attacks, and is an alternative to its sister-patterns; Synchroniser Token, and Double Submit Cookie.

Each of these patterns have the same objective:

To ensure that any given HTTP request originated from a trustworthy source
To uniquely identify the user that issued the HTTP request

more here...........http://insidethecpu.com/2015/04/10/protecting-asp-net-applications-against-csrf-attacks/

↧

Finding Malicious Connections within Memory

April 10, 2015, 2:21 am

≫ Next: Extending Search Granularity with Moloch Filters

≪ Previous: Protecting ASP.NET Applications Against CSRF Attacks

Information security practitioners know the benefits of examining multiple sources of system data. This is one of the corner stones of the SIEM. By accumulating multiple sources of log data a richer and fuller picture can be developed. I like to break down sources of security data into four categories:
system state including memory contents, registry entries, logged on users and more
system disk including stored files and their locations, system or event logs and more
recorded network traffic and network IDS events/alerts and more
third party logs from systems providing services such as DHCP, firewall logs, and more
- See more at: https://labs.opendns.com/2015/04/09/finding-malicious-connections-within-memory/#sthash.GIHfwbWa.dpuf

↧

Extending Search Granularity with Moloch Filters

April 10, 2015, 2:24 am

≫ Next: 1st Annual Report on the oversight of the Huawei Cyber Security Evaluation Center in the UK

≪ Previous: Finding Malicious Connections within Memory

In the course of investigating over 5,000 alerts one evening, from one IP, I needed to use Moloch to eliminate the alerts that bounced off the wall and concentrate on anything that might have succeeded.
If we disregard the possibility of servers leaking too much information via their stock error page, we can use Moloch to look at packets from the attackers IP and a status code of 200.

more here........http://jeffsoh.blogspot.com/2015/04/extending-search-granularity-with.html

↧

1st Annual Report on the oversight of the Huawei Cyber Security Evaluation Center in the UK

April 10, 2015, 2:29 am

≫ Next: Hiding Malicious Traffic Under the HTTP 404 Error

≪ Previous: Extending Search Granularity with Moloch Filters

This is the first annual report from the Huawei Cyber Security Evaluation
Centre (HCSEC) Oversight Board. HCSEC is a facility in Banbury, Oxfordshire,
belonging to Huawei Technologies (UK) Co Ltd, whose parent company is a Chinese
headquartered company which is now one of the world’s largest telecommunications
providers.

more here....https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/416878/HCSEC_Report.pdf

↧

Hiding Malicious Traffic Under the HTTP 404 Error

April 10, 2015, 2:37 am

≫ Next: Jerricho- a script for deploying simple Linux backdoors

≪ Previous: 1st Annual Report on the oversight of the Huawei Cyber Security Evaluation Center in the UK

A few weeks ago, our FortiGuard Labs Threat Intelligence system discovered some new suspicious samples as usual. One of these samples caught our attention when we checked its network traffic.

For this particular sample, which Fortinet already detects as W32/Foreign.LXES!tr, we found that most of its communication has the HTTP/1.1 404 Not Found status, which should mean that some error has occurred generally. But when we analysed the data further, we realized that it was actually a special trick.

more here.........http://blog.fortinet.com/post/hiding-malicious-traffic-under-the-http-404-error

↧

Jerricho- a script for deploying simple Linux backdoors

April 10, 2015, 2:42 am

≫ Next: Wawa Rewards Gift Card Takeover Vulnerability

≪ Previous: Hiding Malicious Traffic Under the HTTP 404 Error

a simple bourne script that quickly drops several persistence mechanisms on a target Linux host.

The name came from Ironman - "The best weapon is the weapon you only have to fire once." - https://www.youtube.com/watch?v=YBC1Qob27sM&t=38s - Watch this. It's awesome.

You run it as root, it drops a bunch of backdoors in multiple places. This enabled us to easily retain access at regionals for almost all systems.

more here.........https://github.com/ketm768/jerricho

↧