Skip navigation

Category Archives: Netsec

FBI can’t decide if Ransomware should be paid off or not

Last October, the FBI Special Agent in charge of Cyber and Counterintelligence stated that the FBI typically advises people to “pay the ransom“, but now the FBI is advising people to NOT pay the ransom.

 

Which is it, lads?

ASUS Memory Management Exploit Dropped

http://rol.im/asux/

 

Introduction to Cross-Site Scripting

Google offers an application security education page about XSS.  If you’re new to it, or just want to get more in-depth and determine how to mitigate it, give it a read.

https://www.google.com/about/appsecurity/learning/xss/

BSides Charlotte CTF

BSides Charlotte was a great time and the people were fantastic. The CTF was awesome, because we (Mother Russia) won and had a blast with the Network King of the Hill-style competition.

Mother Russia of Great Victorious

Great #1 Victory

Technical Details

So, I feel a little bit ashamed, but I spent the first hour and a half thinking that I was in netsec hell and was hitting a firewall or something, because NMAP was running extremely slowly (57 minutes for a /24), but it turned out that I was scanning an entirely wrong network.

After getting some good targets, I saw a lot of port 80.  Most only had to default Apache pages, but one had a Drupal instance installed.  The scoring mechanism required for teams to deface the front page of the web servers with <team>TeamName</team> tags, so this looked promising.  My teammate pointed out that a Metasploit module existed for that version of Drupal (Drupalgeddon).  In our case, it created an admin user and popped a meterpreter session with low privilege.

After logging in to the Drupal instance, it became clear that there was a lot of competition for the front page, but we used a secret weapon to swing the competition in our favor.  Many teams were outright banning and blocking the other teams’ admin users, which I found to be a silly idea, because they would just create a new user and it would be a game of whack-a-mole.  Instead of blocking or banning users, I simply removed their admin privileges, posted our flag and babysat the users page to remove new users’ permissions.  After a while, even the facilitator of the CTF was asking how we were blocking access and assumed that we had rooted the box and were using IP Tables.  Because it allowed for users to still browse all of the pages, many assumed that it was simply a network glitch when their posts didn’t work. As a result, they didn’t create new users and moved on the other targets, giving us a WIDE lead.  The network was a target-rich environment, with quite a few open ports, but MS08-067 actually saved the day on quite a few of them.  There were many boxes, but the Drupal incident was really my highlight of it all.

It was a fun CTF and a wonderful conference, so I want to give greetz to @th3mojo@c0ncealed, and everyone who helped run @BsidesCLT.

Arizona Cyber Warfare Range

I just want to take this moment to point out what an awesome site Arizona Cyber Warfare Range is.  They allow aspiring netsec students and hacker jedi alike to register on any of their hacking “live-fire ranges” and learn valuable skills.  With servers for Beginners, Intermediate, Advanced and Real World skill levels, this is an excellent resource for anyone interested in infosec or hacking.  They are a non-profit organization, so please drop them a donation if you can spare.

USB Armory Released

Using crowdfunding and open-sourced hardware design, the USB Armory (which is now for sale here (no affiliate links here) for $130), has been successfully funding and released.  Featuring a smaller form-factor than an Arduino or Raspberry Pi, the Armory is a USB stick-sized computer that can be used for any number of projects. The little stick sports of lot of power, as seen in the specifications (taken from the crowdfunding page):

Hardware

Software

The USB Armory hardware is supported by standard software environments and requires very little customization effort. In fact, vanilla Linux kernels and standard distributions run seamlessly on the tiny USB Armory board:

Connectivity

  • High Speed USB 2.0 On-The-Go (OTG) with full device emulation
  • full TCP/IP connection to/from USB Armory via USB CDC Ethernet emulation
  • flash drive functionality via USB mass storage device emulation
  • serial communication over USB or physical UART

Security

The ability to emulate arbitrary USB devices in combination with the i.MX53 SoC speed and fully customizable operating environment makes the USB Armory an ideal platform for all kinds of personal security applications. Not only is the USB Armory an excellent tool for testing the security of other devices, but it also has great security features itself:

  • ARM® TrustZone®
  • secure boot + storage + RAM
  • user-fused keys for running only trusted firmware
  • optional secure mode detection LED indicator
  • minimal design limits scope of supply chain attacks
  • great auditability due to open hardware and software

The support for ARM® TrustZone®, in contrast to conventional trusted platform modules (TPMs), allows developers to engineer custom TPMs by enforcing domain separation between the “secure” and “normal” worlds that propagates throughout all SoC components, as opposed to limited only to the CPU core.

At such a low price-point and with this many options, this could become a must-have for any cyber security practitioner. I plan to pick one up at some point and will hopefully write a review.

10 Million Passwords Released

Mark Burnett recently released a cache of 10 million real passwords. For those who do a lot of password cracking and hashing, this is very welcome news. The file is a compilation of various data dumps from website compromises over the course of several years, but the value of a cache of actual passwords, rather than generated wordlists, is very encouraging for this who would seek to break hashes. It is statistically a near certainty that, in a large enough group, you are much more likely to find two people who share the same birthday, than you are you find someone with a specific birthday.  If this principle holds true for password usage as well, this dump could be priceless for security researchers.

Magnet Link: Here

Disclaimer: BY DOWNLOADING THIS AUTHENTICATION DATA YOU AGREE NOT TO USE IT IN ANY MANNER WHICH IS UNLAWFUL, ILLEGAL, FRAUDULENT OR HARMFUL, OR IN CONNECTION WITH ANY UNLAWFUL, ILLEGAL, FRAUDULENT OR HARMFUL PURPOSE OR ACTIVITY INCLUDING BUT NOT LIMITED TO FRAUD, IDENTITY THEFT, OR UNAUTHORIZED COMPUTER SYSTEM ACCESS. THIS DATA IS ONLY MADE AVAILABLE FOR ACADEMIC AND RESEARCH PURPOSES.

Hardened Anti-Reverse Engineering System (HARES)

Security researcher Jacob Torrey has announced plans to unveil a system that he claims will make the reverse engineering of software (and malware) much more difficult, thanks to his new crypto-based project Hardened Anti-Reverse Engineering System (HARES).  By utilizing a feature of Intel and AMD processors known as Translation Look-aside Buffer Split, HARES will segment the memory of a program into data and instructions, then will encrypt the instructions portion with a key stored in the processor. This makes the use of traditional reversing and debugging tools (OllyDbg, IDA Pro, etc.) much more difficult.

Adding a new hurdle for malware-analysts causes security concerns, as traditional anti-malware solutions depend upon reverse engineering of the malware sample in order to develop countermeasures. HARES could allow black hat-types to operate with impunity, jeopardizing personal information and banking records for millions.

Not all is lost, however. Through the use of JTAG debugging tools for the processor itself, it may be possible to still intercept the code before it executes, although it would likely be in a lower-level language than the x86 or x64 assembly that is the lingua franca of malware analysts everywhere. Another possible attack against HARES is for reversers to intercept the decryption key when it is first passed to the processor, allowing for the encoded instructions in memory to be read freely.

Torrey plans to unveil his project at SyScan in March.

White House to Hold Cyber Security Summit

 

In keeping with its focus on cyber security, The White House (which just approved a $1 billion increase in cyber funding for 2016) is hosting a first Summit on Cybersecurity and Consumer Protection this Friday at Stanford University.

Attendees include a veritable ‘who’s who’ of the tech industry, Wall Street, and various other industries, with the CEOs of Bank of America Corp., U.S. Bancorp, American Express, Kaiser Permanente, Visa Inc., MasterCard Inc., and PayPal, as well as Tim Cook from Apple and representatives from Facebook, Google, Intel, and various other companies.

Among the items on the agenda are:

  • Public-Private Collaboration on Cybersecurity
  • Improving Cybersecurity Practices at Consumer-Oriented Businesses and Organizations
  • Promoting More Secure Payment Technologies
  • Cybersecurity Information Sharing
  • International Law Enforcement Cooperation on Cybersecurity
  • Improving Authentication: Moving Beyond the Password

The White House has also stated that in order to strengthen America’s cyber security posture, its priorities are:

  1. Protecting the country’s critical infrastructure — our most important information systems — from cyber threats.
  2. Improving our ability to identify and report cyber incidents so that we can respond in a timely manner.
  3. Engaging with international partners to promote internet freedom and build support for an open, interoperable, secure, and reliable cyberspace.
  4. Securing federal networks by setting clear security targets and holding agencies accountable for meeting those targets.
  5. Shaping a cyber-savvy workforce and moving beyond passwords in partnership with the private sector.

 

 

It will be interesting to see how this shapes the future of America’s cyber policy and how the rest of the world reacts. If ApplePay becomes the de-facto e-payment standard, what does that mean for Android users? </s>

Facebook Creates Cyber Threat Feed

Today, Facebook announced its new cyber security threat feed ThreatExchange. By integrating various threat-monitoring feeds and through the use of its Facebook Graph system, it will allow users and companies to trace the connections between cyber incidents and its own records. A number of companies are onboard and will be contributing to and utilizing the data. By embracing the philosophy of data-sharing, the goal is to strengthen the web collectively through efficient dissemination of cyber threat intelligence. The beta now has an open signup both for users and contributors.