news bytes oct-2011
DESCRIPTION
Null + OWASP + SecurityXploded + Garage4hackers Meet at BangaloreTRANSCRIPT
Security NewsBytes
Oct-2011
About me: Ashwin Patil
GCIH, RHCE, CCNA2+ in Infosec
Null / OWASP / SecurityXploded / Garage4hackers Meetup
Announcements
Malcon 2011 : Call for Paper http://malcon.org/cfp/Venue: Mumbai , Nov -2011
CFP for nullcon 2012 (Tritiya) is open!!!http://nullcon.net/cfp-nullcon/Venue : Goa, Feb -2012
ClubHACK 2011 : CFP closes 2nd week of Octhttp://clubhack.com/2011/Venue: Pune, first weekend of December.
Security Conferences happened
Brucon 2011
Slides (Some) posted : http://2011.brucon.org/index.php/Schedule
Derbycon 2011
Videos Posted : http://www.irongeek.com/i.php?page=videos/derbycon1/mainlist
HITB SecConf 2011
Slides being Posted on Fly : http://conference.hitb.org/hitbsecconf2011kul/materials/
Arrest of Lulzsec Members
FBI arrested lulzsec member Recursion : Cody Kretsinger,23 Accused of using SQL injection attacks against Sony. Earlier in UK : 2 more arrests happened claimed to be Kayla and Topiarry. Ringleader Sabu tweeted only 2 left.
Group chatlog revealed use of HideMyAss`s Proxy service to disguise his IP in SONY attack.
The site followed court order asking for information for above case.
UK based Company explained – VPN services are not designed to commit illegal activity. We only log time you connect and disconnect. We comply with UK Law. If request for information came from overseas ,it should
come from UK channels only
-- arstechnica, hidemyass blogs
SSL Broken … Again
2 Researchers : Juliano Rizzo and Thai Duong at Ekoparty Security Conference.
Presented New Fast block-wise chosen plaintext attack against AES algorithm in SSL/TLS.
TLS version 1.0 – vulnerable . TLS v1.1 and 1.2 : not vulnerable but major websites uses TLS v1.0 as later are unsupported in browsers Old vulnerability & ignored for years due to crypto people thought its unexploitable. P.O.C. Application : BEAST : Browser Exploit Against SSL/TLS
-- theregister, threatpost
How it works ? And Patches ?
-- technet , chrome, mozilla blogs
a.k.a Cryptographic Trojan Horse
Injects client side BEAST code in victims browser. (iframe/JavaScript) Then works with network sniffer to look for active TLS connections.
Grabs and decrypt HTTPS authentication cookie.
Workarounds are possible but real solution is switch to newer protocol.
Workarounds by browser vendors: Chrome developer version 15.0 making attack more complex. Firefox considering to disable java but it will break many websites and
functionalities Microsoft working on Windows Update to fix the issue. Advisory: 2588513
Mysql.com compromised spreading malware to visitors
-- armorize, SANS ISC, TrendMicro
Last Time (March-2011) it was SQL injection. Simply visiting website serves malware through JavaScript and redirects to malicious domains hosting Blackhole exploit kit.
Discovered by first armorize TrendMicro found in Russian underground forum hacker sourcec0de selling rootaccess of mysql.com clusters Price starts from 3000$
The Good, the Bad and the Ugly of Microsoft
-- arstechnica, threatpost , chrome, cnet blogs
The Good Microsoft: Microsoft does it again , Takes down
Kelihos Botnet. Estimated 41000 compromised hosts,
capable of sending 3.8 billion spam messages
Previously Rustock botnet taken down.
The Bad Microsoft: Microsoft Security Essential detected chrome.exe as piece of malware ( PWS: Win32) Microsoft released emergency update to the signature to fix the issue. Chrome also released update to fix the issue
Microsoft is joining anti-flash crowd. Metro version of IE 10 in windows 8 will not accommodate plugins.
Continued …
-- msdn blogs, cnet ,
The Ugly Microsoft
UEFI : Unified Extensible Firmware Interface
New Type of boot environment : replaces standard BIOS process. UEFI is a part of windows 8 securedBoot architecture. To ensure that pre-OS environment is secure System with UEFI enabled & Microsoft signing keys will only boot secure Windows OS.
Major Concern: Dual booting non windows OS such as Linux installing new hardware with unsigned keys drivers
Reverse Proxy bypass of Apache
-- contextis.com blog, seclists.org full disclosure
Apache webservers affected with this issue when running in reverse proxy mode. Could let attackers access DB, firewalls, routers and other internal
network resources. Misconfiguration in rewrite rule in Apache config file.
RewriteRule ^(.*) http://internalserver:80$1 RewriteRule ^(.*) http://internalserver:80/$1
Apache issued patch to stop these type of attacks. CVE-2011-3368.patch IIS could also be vulnerable if it is importing apache mod_rewrite rules.
-- ccc.de , PlayStation blogs
German Federal Trojan: R2D2
“Lawful interception” malware program to spy on citizens
Reverse engineered and analyzed by European Chaos Computer Club (CCC). Submitted to ccc anonymously
Used by German police forces. Not only sends data but also offers
remote control or backdoor functionalities to upload and execute arbitrary programs
Sony : Game is not over
CISO informs breach of 93000 accounts (PSN and SOE) Attackers used large amount of data obtained from compromised lists
of other companies Claims credit card information is not at risk
-- h-online, androidpolice, allthingsd.com
XSS in Skype for iOS
XSS bug in iPhone and iPad version of Skype client Incorrect webkit settings allows an attacker to directly
access files on device including address books.More details:https://superevr.com/blog/2011/skype-xss-explained/
Backdoor in HTC Android Smartphones
Vulnerability in app called HtcLogger.apk found by androidpolice.com
App collects all kinds of data and provides to anyone who asks by opening a local port
Any app with INTERNET permission can access the information and can send data to remote server.
Patch Promised by HTC ..will be firmware OTA update. Till then if you are rooted, remove HtcLogger.apk
AmEx Debug Mode left site wide open, providing access to vulnerable debug tools
Security Issue was noticed by developer Niklas Fermerstand. Difficulties in finding security contact when contacted via
twitter. AmEx responded and shut down debug mode
Newer and more complicated android malware variants are expected to emerge. ANDROIDOS_ANSERVER.A : arrives as a eBook reader app and Uses encrypted
blog posts as C & C.
--theregister, qnrq.se, TrendMicro, bbc. networkworld, fnno.com
News Overview
New Zeus Crimeware toolkit comes with peer-to-peer design. Harder to takedown such botnets as No centralized C & C server which they can
infiltrate or shut down.
Facebook is partnering with Websense to protect its members from malware and malicious web sites.
When Facebook user clicks on a link, it will be checked against Websense database.
if links is malicious, user will be presented a choice to continue or not on his risk.
Security Tools Releases
sshtrix-0.0.2.tar.gz : Very fast Multithreaded SSH Login cracker Malware Analyzer 3.5 : Malware Analyzer is freeware tool to perform static and dynamic
analysis on malwares ExeScan : PE File Anomaly Detector Tool by SecurityXploded Another File Integrity Checker 2.18: another file integrity checker, designed to be fast and
fully portable between Unix and Windows platforms WebCookiesSniffer : Packet sniffer tool displays all cookies in a simple Table form. fbpwn : A cross-platform Java based Facebook social engineering framework Zscaler Like Jacking Prevention : Plugin for browser to keep users safe from Facebook
scams. PuttyHijackV1.0.rar : POC Tool to hijack putty sessions by injecting dll in process. Websecurify :Powerful, cross-platform web security testing technology owasp-wte : OWASP Web Testing Environment. wpscan : Wordpress security scanner
Security Reading
Microsoft Security Intelligence Report (SIR) Volume 11 Best Practices for reporting Badware URLs Post Exploitation Command Lists for Win, Unix, OS X : Excellent Reference for post exploitations This Python has Venom : Symantec blog covering python Trojan Cracking Passwords Version 1.1 Busting Windows in Backtrack 5 : Armitage demo in Backtrack 5 Evading Antimalware Engines via Assembly Ghostwriting Bypassing Windows 7 Kernel ASLR Clubhack Magazine : Oct 2011
Thank You
Comments ,Feedbacks, Suggestions
Twitter : @ashwinpatilLinkedIn : http://in.linkedin.com/in/ashwinrpSlideshare : ashwin_patilhttp://www.slideshare.net/ashwin_patil
R.I.P. Steve jobs and Dennis Ritchie
Photo Credits: Wikipedia