Security blogs

Distribuir contenido
Some security blogs I followCNXriv2VjbgCfgont2013-07-01T21:55:27Z
Actualizado: hace 8 años 12 semanas

China's new premier rejects US hacking claims

Lun, 03/18/2013 - 04:54

New Chinese Premier Li Keqiang dismissed hacking accusations against China as “groundless” on Sunday and said his government was committed to strong ties with Washington.

Referring to allegations that China’s military was behind massive hacking attacks on U.S. entities, Li reiterated Beijing’s statements that China is a major target of global hackers and opposes all such criminal activity.

Tags: ChinaUSHackersSecurityIndustry Newsl33tdawg
Categorías: Bundle Security blogs

Reuters staffer accused of aiding hackers

Lun, 03/18/2013 - 04:53

A editor maintained his innocence after being suspended with pay on Friday following a US federal indictment on charges he aided members of the Anonymous hacking collective.

Matthew Keys, 26, a deputy social media editor, was indicted on Thursday by a federal grand jury in Sacramento, California, on three criminal counts. The alleged events occurred before he joined Reuters, the indictment indicated.

Tags: ReutersHackersIndustry NewsLaw and Orderl33tdawg
Categorías: Bundle Security blogs

Google Glass hack for Apple fanboys can be had right now

Lun, 03/18/2013 - 04:47

Monocular head mounted display. I've got my beady eye on you...

In 2009 I posted an Instructable on how to make a pair of glasses with a head up display to one eye, using a pair of Olympus Eye-Trek video glasses -

Tags: GoogleAppleHardwarel33tdawg
Categorías: Bundle Security blogs

Two charged in theft of $40K from hacked Subway keypads

Lun, 03/18/2013 - 04:44

Two California men have been indicted for allegedly hacking point-of-sale terminals at Subway shops to steal at least $40,000.

Prosecutors accused Shahin Abdollahi, aka "Sean Holdt," and Jeffrey Thomas Wilkinson of hacking at least 13 point-of-sale (POS) terminals to install software that fraudulently loaded at least $40,000 onto Subway gift cards, according to an indictment unsealed in Boston on Friday (see below). The pair then allegedly used the cards to make purchases at Subway shops and sold them on eBay and Craigslist.

Tags: SubwayLaw and Orderl33tdawg
Categorías: Bundle Security blogs

Twitter could be banned in the UK

Lun, 03/18/2013 - 04:42

Twitter has come to the attention of MP George Galloway, who thinks it should defer to the wishes of local authorities or be sanctioned by the government.

Galloway, Member of Parliament for Bradford West, has filed an early day motion called "Twitter and the detection of crime".

Tags: TwitterUKl33tdawg
Categorías: Bundle Security blogs

Friday Squid Blogging: WTF, Evolution?

Vie, 03/15/2013 - 19:10

WTF, Evolution? is a great blog, and they finally mentioned squid.

Categorías: Bundle Security blogs

Philippine Palace website hacked over Sabah dispute

Vie, 03/15/2013 - 18:04

The website of the Office of the President was hacked by Anonymous Philippines Thursday morning because President Benigno Aquino III was allegedly "mishandling the Sabah issue."

"Greetings, President Aquino! We have watched how you signed into law a bill that endangers and tramples upon the netizens' freedom of speech and expression. Now, we are silent witnesses as to how you are mishandling the Sabah issue," the hacker group said in its message that took over the website.

Tags: PhilippinesSecurityMalaysial33tdawg
Categorías: Bundle Security blogs

Nir Goldshlager does it again

Vie, 03/15/2013 - 18:02

Facebook Inc (NASDAQ:FB) has rewarded a security expert who has located a second flaw in the network. Security experts like Nir Goldshlager have been especially concerned about hackers targeting Facebook in recent months. Goldshlager, who found one bug on the social media network about three weeks ago, discovered a second flaw this week which allowed him to hack the social network a second time.

Tags: FacebookSecurityl33tdawg
Categorías: Bundle Security blogs

xkcd on PGP

Vie, 03/15/2013 - 17:01

How security interacts with users.

Categorías: Bundle Security blogs

Apple purges OS X flaw that let Java apps run when plugin was disabled

Vie, 03/15/2013 - 16:35

Apple has updated OS X to patch more than a dozen security flaws, including one that allowed attackers to exploit Web-based Java flaws even when end users had disabled the widely abused browser plugin.

The CoreTypes vulnerability in OS X Lion and Mountain Lion posed a threat because it undermined widely repeated advice for Mac users to disable Java in browser plugins. The measure is designed to repel a surge of attacks that exploit vulnerabilities in the Oracle-controlled software. Criminal hackers use them to surreptitiously install malware when computers visit booby-trapped websites. According to a bulletin accompanying Thursday's OS X update, attackers could override the protective measure by manipulating the Java Network Launching Protocol, or JNLP, which allows applications to launch directly from a browser.

"Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled," the bulletin explained. "Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory."

Read 1 remaining paragraphs | Comments

Categorías: Bundle Security blogs

BlackHat Europe 2013 Wrap-Up Day #2

Vie, 03/15/2013 - 14:58

And we are back with the second wrap-up of BlackHat Europe 2013!  After a dinner with friends and some beers at Rapid7 and IOActive parties, I went back to the hotel to finish the first day wrap-up. I woke up, tool shower, grab some coffee and I’m ready for the second day! No workshop planned for today only talks. Here is a review of the one I attended.

My first choice was to attend the session “Honeypot that can bite: reverse penetration” presented by Alexey Sintsov. This talk is based on Alexey’s experiences with honeypots. He played a lot with honeypots and IDS systems. Their primary goal is to understand how attackers work and to take appropriate preventive actions. Based on the attempts, alerts can be created into IDS, etc. This is a known story, nothing new.

But, which kind of questions could we ask ourselves?  What the attacker tried, what is he looking for, how are we prepared? Based on the collected data, it could be interesting to search who are the attackers (R&D companies, governments, competitors, …). Some interesting questions that can be investigated:

  • Is it a false positive or real attack?
  • Is is a targeted attack or a bonnet?
  • Performed by a professional or script kiddie?

Alexey’s goal was to decloak and track the attacker to “brake his legs” as said Alexey . But we can do more: replay back! Why not answer to the attacker with the same exploit back to the source. Bad guys have softwares used to attack you but they can also have vulnerabilities that could be exploited too.  In case of a web attack, was the attacker a human? Did he used a classic application. if yes, maybe we can exploit it. Based on the attack, we can have a “skill-o-meter” to classify the attack type (human/bot) and the malicious intention of the attacker. We can also use social-engineering skills to grab interesting information about our attacker and we could attack his own environment (ex: his home ADSL router). Other interesting data is pictures, text files, SSIDs, trace route, DNS, screenshots, camera recording. Alexei gave a real example performed in Russia with the Defcon Russia web portal which required a “invite code” to enter. It was of course a honeypot with a rogue Java applet ready to be downloaded. Big warning: when doing this, do never store personal data just technical info! Another problem: the attacker may use multiple proxies, TOR or pivot via another compromised box. Once you grabbed some data from the attacker, it’s easy to correlate them with other sources to find even more interesting stuff (Google is your best friend to achieve this). Another example explained by Alexei:  How he collected data from popular free mail services in Russia. Based on his research, the following profile of attackers were detected:

  • White hat companies tested the applet
  • Independent researchers
  • Backdoored government hosts
  • Script kiddies

Conclusion: it works! Finally, a last type of attack was covered, via third party services like social networks.  If the user is authenticated on alternate services (LinkedIn is a good example) it’s easy to steal more information about him. A nice quote to conclude this presentation:

“The only real defense is offensive defense” (Mao Zedong)

Nice presentation to start the day. I would expect a bigger warning about this kind of behaviour. By attacking your attacker, you cross a line and could be seen also as a “bad guy“. Take care when playing this kind of game.

Then, Thomas Roth presented “Next Generation Mobile Rootkits”. Mobile devices security remains a hot-topic during this edition of BlackHat! Mobile root kits are use for surveillance, usage statistics and criminal activities. They are two targets: the baseband and the CPU. The baseband has a full access to memory. This talk will cover the trust zone in the CPU.

This zone is a secure processor integrated into Cortex-A CPUs. Thomas explained what is the trust zone. As a practical example, he gave Netflix. They require device-certification. For HD streams, video decoding is running on TrustZone with direct access to the screen. So, no way to record the stream on Android devices (DRM). This looks to be good protection. After coveting how the TrustedZone works, Thomas explains how to build a root kit in this zone. First why? People haven’t talked about the problems that come with TrustZone. It’s also about the vendor distrusting the user. Not easy to test on hardware but there is an open source solution to emulate a TrustedZone (qemu-trustzone). The speakers knew his topic but I was completely lost. The presentation was too complex for my poor brain.

After a good lunch, the last set of talks started with “Using D-Space to open doors” by Brad Antoniewicz. The topic was how to attack proximity card access systems. This talk is the result of researches performed about communications between cards & readers. But what is D-Space? It comes from a book written by Daniel Suarez where people are wearing some kind of glasses and are able to “control” things (like the Google glasses in fact). A classic physical access architecture looks like this:

Brad created this environment for +/- $400 based on an Arduino controller. First, the reader’s job: It is to get data from the card and format it for wired transmission. An HID ProxCard contains only a number based on 26 bits split onto two sets: the facility ID/site code (0-255), the card number (0-65535) and two parity bits (pretty simple). So, there are chances that two companies use the safe facility code! Bob in company A may be allowed on site A0 and humber 100 like Alice in another company and cards can be exchanged! Risk is low but exists! How to clone a card? Proxmark3. Open source project. Proxbrute is another tool. Cards are sequentially numbered. Privilege escalation via lost, temporary or skimmed badges. iClass cards, another technology, stores the value on the card but are more secure (two levels: standard or high security). In case of the high security mode, you define the key yourself. How to get the key? has a technique to access the reader memory and pull the key. Between the reader and the controller, a standard protocol is used (Wiegand protocol or sometimes RS232). Wiegand tools (based on Arduino) can perform attacks: skimming, emulator, fuzzier or brute forcer. What about targeting the controller? The one used by Brad was a HID VertX v2000. This model is very popular. How to find a controller? Simply scan for open ports UDP/4070. You will get the type, the model, firmware version etc. The controller is even reachable via Telnet without password. It’s an embedded Linux with a root account and a crapy password. The password is hardcoded in the application. Change the root password, you break the controller! Interesting stuff is stored in DB files: AccessDB, IdentDB (allowed doors, time restrictions). They are populated by the backend server. You can inject your own card number in the DB using the tool developed by Brad:

./VertX_CacheTool -c 00263F9500 -r

But doing this, you generate a log entry! How to open a door in a safe (hidden) way? Using serial debugging and commands:

hwtestserial -d /dev/ttyS2 -b 38400 -p None -s1 -v 100 -txhex xxxxxxxxxxxxxxxxxx

Same via the Web UI! You can open a door using a GET request:


It’s possble to make a door stay unlocked or locked! The last part is the backend. What can we do? It’s called WebBrix. It runs on Windows with a default SQL db (sa with no password). A service is running on port TCP/4070. The protocol is plaintext by default (encrypt not default). Here again, the application is crappy and vulnerable to multiple attacks.

Code of tools is available online: Unfortunately, due to a technical problem (a missing 110v – 220v converter), Brad was not able to perform a live demo. A great talk with practical stuff! You should never see your access badges from the same point of view!

And we continue with another talk! ”Dude, where’s my laptop?” presented by Simon Roses Fermeling and Curro Marquez. Every day, thousands of mobile devices are lost or stolen. Often they contain personal or corporate (but critical on both cases) data: contacts, emails, photos, passwords, apps, etc. There is a huge market behind this and vendors propose lot of solutions to protect our beloved toys. But are they really efficient and what do they do if the device is stolen? That’s what covered Simon’s talk. First he performed a revue of the market. Here are two interesting statistics?

  • 10K mobile phones are stolen per month in London
  • Laptop thefts totalled more than $3.5 millions in 2005

There are two technologies that apply to mobile devices: BYOx (“x” means whatever you want) and MDM & co family. What are their anti-theft features? Encryption, remote wipe of files, screen lock, info sent to a C&C like IP addresses, GPS location, camera shot. They claim to offer strong security and helping to recover the device. Is it true? How to find a good one? Google Play reports 1000+ results when you search for “anti-theft” (for Android devices). The marketing message is: “Just relax“:

They lack of a good design. How data is protected: at rest/in transit? Can wiped data are really gone? Can tempering be detected and stopped? So, how work thieves? Simon demonstrated some techniques. They can attack via the network, via the system or reverse-engineer apps. Most anti-theft solutions are visible. Should not be a good idea to cover itself and work silently? Some solutions are not secure at all and send data in plaintext over the air. Physical access to can achieved in a Faraday box/bag to avoid any connection. Keep in mind: No connectivity = no protection.  Attackers have plenty of time to root the device. Here again, apps store data in cleartext (data at rest) or weak crypto is used (MD5 without salt). A first demo was shown (video) about Prey and how to bypass the lock out, so easy! The next feature reviewed by Simon was the secure wipe. Apps do not have secure delete capabilities and many times SD cards content is not deleted. Tip for thieves: once the device is stolen, remove the SD card as soon as possible! If data is wiped, it can be recovered using forensic tools. Simon developed a tool called “John Hard Vegas” (will be available by next week). It can detect anti-theft tools, disable them and steal credentials. From an attacker point of view, how can we insert a root kit in the stolen device?

  • Shield device
  • Tamper device
  • Install root kit
  • Enable anti-theft
  • Return device
  • Owner happy!

Then followed a ssecond demo: Via a Backtrack distro which played a MitM attack and intercepted communications with the server and sent rogue data back to the client.  Awesome. Conclusions to this talk are a huge amount of risks. The first one is the lack of encryption. And when used, it’s via poor algorithms. Apps are unsafe too (debug mode enabled, no data validation). Data is not safely wiped and they can be easily defeated. Maybe the best solution is to keep an eye on your devices and beware of public networks. A last message to the vendors: build secure software not security software. Very nice talk!

Finally, Jacob Williams talked about cloud application with “DropSmack: How cloud synchronisation services render your corporate firewall worthless?“. Jacob developed a course on cloud forensics and is the right guy to talk about synchronisation services like Dropbox. He demonstrated how to use Dropbox to p0wn a protected corporate network and how to use DropSmack. Why Dropbox? Because it is the “Coca-cola” of the synchronisation softwares. It provides a command and control channel by design! Infecting files destined for a backup could be interesting.

Dropbox suffered of some major authentication issues (like the “no password” day in 2011) but nobody is really looking at alternatives. Nothing news, in 2011, the idea to use synchronisation software already emerged. Everytime something was disclosed, Dropbox fixed it. Dropbox was already a topic of security talks in conferences. Jacob gave a real example with a client who asked him to perform an “APT-like” attack. The standard methods failed as well as physical security. Spam was also blocked. He looked for an alternative and found a personal email address: the one of the CIO. With an email address it was easy to own the laptop and this guy was using Dropbox! How to grab his credentials? The Dropbox DB was encrypted. Dropbox could be used to infect the internal network and be the C2 channel. They needed a malware which could communicate with a Dropbox sync process (not a regular meterpreter). Dropsmack was born! Data exfiltration and command output are also sent via Dropbox. It implements the following basic commands: PUT, GET, DELETE, EXECUTE, SLEEP, MOVE. How to deploy?

  • Embed DropSmack in a doc already synchronized
  • Add some macro goodness
  • Load file back
  • File synchronizes
  • Have a coke & wait

What can we do with DropSmack? The PUT command allows to upload an EXE but name must not be .exe or dropbox will delete it. GET is the opposite. EXEC executes a file with the user privileges. Best is to output to a file and download it with a GET command. MOVE and DEL don’t need a description. SLEEP can be used to minimise the impact of pop-up’s displayed on the victim desktop after each synchronisation (could be annoying). How to detect DropSmack? IDS: worthless, Firewall: mostly worthless, AV: no comment, DLP: same. Only whitelisting software won’t let the new application (DropSmack) to execute. Will a NG firewall save you? In  2012, more than 75% of respondents to a NGFW survey said that their workload increased due to application controls (like the IDS in the 90′s). It remains a black or white decision to allow Dropbox on your network? What if you device to allow DropBox? It uses LanSync (port 17500 UDP/TCP), block access to Amazon S3 (used by Dropbox), not doable. Not easy and again will increase your workload. It’s time to talk to your management and find out what’s the best policy for synchronisation services. Jacob finished his presentation with a live demo of DropSmack. What about the future? Read and extract information from DropBox configurations, allow alternative default Dropbox synchronisation folder and get rid of the boring popups! Awesome talk to end the day.

This closes the BlackHat Europe 2013 event! A good event where I met lot of new friends. Just one remark to the organisers: For the next edition, give me attention to the Arsenal. Try to promote it more and setup sessions during breaks to attract more people. Now, it’s time to drive back to Belgium and let’s enjoy the weekend! Have a safe trip back to $HOME!

Categorías: Bundle Security blogs

Cyber Security for Defense, Intelligence & Homeland Security Symposium

Vie, 03/15/2013 - 14:48
05/08/2013 - The number of cyber attacks on DoD and Government networksʼ estimated at 400 million annually— continues to increase at an alarming pace...(author unknown)
Categorías: Bundle Security blogs

Healthcare Data Analytics Symposium

Vie, 03/15/2013 - 14:36
07/09/2013 - Healthcare Data Analytics – What You Need to Know about This Burgeoning New Field! The healthcare analytics market, already at almost $4 bil...(author unknown)
Categorías: Bundle Security blogs

Unmanned Aircraft Systems Symposium - East

Vie, 03/15/2013 - 14:24
05/08/2013 - Over 25 Experts from DIA/STRAT COM, SOUTHCOM, OSD, MCCDC, AFSPC, MA WTS -1, NDAN G,DHS/CBP, RCAF, DAR PA, NRL, General Atomics Aeronautical System...(author unknown)
Categorías: Bundle Security blogs

Informe de amenazas de Mandiant en ataques avanzados dirigidos

Vie, 03/15/2013 - 11:30
Mandiant lanzo la cuarta edición de su informe M-Trends, que detalla las tácticas utilizadas por los atacantes para comprometer las organizaciones y robar la información. También destacan las mejores prácticas en respuesta a incidentes empleadas por organizaciones que han tenido éxito en combatir a atacantes avanzados.     Este año M-Trends también incluye visión general del grupo de (Seguridad de la Información)
Categorías: Bundle Security blogs

Security reporter tells Ars about hacked 911 call that sent SWAT team to his house (Updated)

Vie, 03/15/2013 - 11:00

Update: Krebs has now written about his experience in some detail. The same people responsible for the DDoS attack carried out yesterday on Krebs' site launched a similar attack on Ars Technica this morning.

Original story:

Brian Krebs has always been a trailblazer among security reporters. His exposés completely shut down a California hosting service that coddled spammers and child pornographers and severely disrupted an organized crime syndicate known as Russian Business Network. More recently, his investigative journalism has followed the money to the people who sell malware exploit kits, illicitly procured credit reports, and denial-of-service services in underground forums.

Read 16 remaining paragraphs | Comments

Categorías: Bundle Security blogs

Oil and Gas Mobility Summit

Vie, 03/15/2013 - 09:52
04/22/2013 - Oil and Gas Mobility Summit The Oil and Gas Mobility Summit, the first event of its kind in North America, will gather the energy industries burgeo...(author unknown)
Categorías: Bundle Security blogs

Rapid Flood Mapping with ERDAS Imagine

Vie, 03/15/2013 - 09:09
04/03/2013 - Rapid Flood Mapping with ERDAS Imagine: Taking the Complexity Out of Processing RADAR Imagery Flooding often endangers human lives and can cause wi...(author unknown)
Categorías: Bundle Security blogs

Reduce Costs and Increase Productivity with Versatile Mobile Workforce Management Solutions

Vie, 03/15/2013 - 09:05
03/26/2013 - Organizations with mobile employees are constantly challenged by increasing fuel costs, visibility into territory management, inefficient routes, a...(author unknown)
Categorías: Bundle Security blogs

Stuxnet is Much Older than We Thought

Vie, 03/15/2013 - 08:46

Symantec has found evidence of Stuxnet variants from way back in 2005. That's much older than the 2009 creation date we originally thought it had. More here and here.

What's impressive is how advanced the cyberattack capabilities of the U.S. and/or Israel were back then.

Categorías: Bundle Security blogs