Security NewsBytes

Oct-2011

About me: Ashwin Patil

GCIH, RHCE, CCNA2+ in Infosec

Null / OWASP / SecurityXploded / Garage4hackers Meetup

Announcements

Malcon 2011 : Call for Paper http://malcon.org/cfp/Venue: Mumbai , Nov -2011

CFP for nullcon 2012 (Tritiya) is open!!!http://nullcon.net/cfp-nullcon/Venue : Goa, Feb -2012

ClubHACK 2011 : CFP closes 2nd week of Octhttp://clubhack.com/2011/Venue: Pune, first weekend of December.

Security Conferences happened

Brucon 2011

Slides (Some) posted : http://2011.brucon.org/index.php/Schedule

Derbycon 2011

Videos Posted : http://www.irongeek.com/i.php?page=videos/derbycon1/mainlist

HITB SecConf 2011

Slides being Posted on Fly : http://conference.hitb.org/hitbsecconf2011kul/materials/

Arrest of Lulzsec Members

FBI arrested lulzsec member Recursion : Cody Kretsinger,23 Accused of using SQL injection attacks against Sony. Earlier in UK : 2 more arrests happened claimed to be Kayla and Topiarry. Ringleader Sabu tweeted only 2 left.

Group chatlog revealed use of HideMyAss`s Proxy service to disguise his IP in SONY attack.

The site followed court order asking for information for above case.

UK based Company explained – VPN services are not designed to commit illegal activity. We only log time you connect and disconnect. We comply with UK Law. If request for information came from overseas ,it should

come from UK channels only

-- arstechnica, hidemyass blogs

SSL Broken … Again

2 Researchers : Juliano Rizzo and Thai Duong at Ekoparty Security Conference.

Presented New Fast block-wise chosen plaintext attack against AES algorithm in SSL/TLS.

TLS version 1.0 – vulnerable . TLS v1.1 and 1.2 : not vulnerable but major websites uses TLS v1.0 as later are unsupported in browsers Old vulnerability & ignored for years due to crypto people thought its unexploitable. P.O.C. Application : BEAST : Browser Exploit Against SSL/TLS

-- theregister, threatpost

How it works ? And Patches ?

-- technet , chrome, mozilla blogs

a.k.a Cryptographic Trojan Horse

Injects client side BEAST code in victims browser. (iframe/JavaScript) Then works with network sniffer to look for active TLS connections.

Grabs and decrypt HTTPS authentication cookie.

Workarounds are possible but real solution is switch to newer protocol.

Workarounds by browser vendors: Chrome developer version 15.0 making attack more complex. Firefox considering to disable java but it will break many websites and

functionalities Microsoft working on Windows Update to fix the issue. Advisory: 2588513

Mysql.com compromised spreading malware to visitors

-- armorize, SANS ISC, TrendMicro

Last Time (March-2011) it was SQL injection. Simply visiting website serves malware through JavaScript and redirects to malicious domains hosting Blackhole exploit kit.

Discovered by first armorize TrendMicro found in Russian underground forum hacker sourcec0de selling rootaccess of mysql.com clusters Price starts from 3000$

The Good, the Bad and the Ugly of Microsoft

-- arstechnica, threatpost , chrome, cnet blogs

The Good Microsoft: Microsoft does it again , Takes down

Kelihos Botnet. Estimated 41000 compromised hosts,

capable of sending 3.8 billion spam messages

Previously Rustock botnet taken down.

The Bad Microsoft: Microsoft Security Essential detected chrome.exe as piece of malware ( PWS: Win32) Microsoft released emergency update to the signature to fix the issue. Chrome also released update to fix the issue

Microsoft is joining anti-flash crowd. Metro version of IE 10 in windows 8 will not accommodate plugins.

Continued …

-- msdn blogs, cnet ,

The Ugly Microsoft

UEFI : Unified Extensible Firmware Interface

New Type of boot environment : replaces standard BIOS process. UEFI is a part of windows 8 securedBoot architecture. To ensure that pre-OS environment is secure System with UEFI enabled & Microsoft signing keys will only boot secure Windows OS.

Major Concern: Dual booting non windows OS such as Linux installing new hardware with unsigned keys drivers

Reverse Proxy bypass of Apache

-- contextis.com blog, seclists.org full disclosure

Apache webservers affected with this issue when running in reverse proxy mode. Could let attackers access DB, firewalls, routers and other internal

network resources. Misconfiguration in rewrite rule in Apache config file.

RewriteRule ^(.*) http://internalserver:80$1 RewriteRule ^(.*) http://internalserver:80/$1

Apache issued patch to stop these type of attacks. CVE-2011-3368.patch IIS could also be vulnerable if it is importing apache mod_rewrite rules.

-- ccc.de , PlayStation blogs

German Federal Trojan: R2D2

“Lawful interception” malware program to spy on citizens

Reverse engineered and analyzed by European Chaos Computer Club (CCC). Submitted to ccc anonymously

Used by German police forces. Not only sends data but also offers

remote control or backdoor functionalities to upload and execute arbitrary programs

Sony : Game is not over

CISO informs breach of 93000 accounts (PSN and SOE) Attackers used large amount of data obtained from compromised lists

of other companies Claims credit card information is not at risk

-- h-online, androidpolice, allthingsd.com

XSS in Skype for iOS

XSS bug in iPhone and iPad version of Skype client Incorrect webkit settings allows an attacker to directly

access files on device including address books.More details:https://superevr.com/blog/2011/skype-xss-explained/

Backdoor in HTC Android Smartphones

Vulnerability in app called HtcLogger.apk found by androidpolice.com

App collects all kinds of data and provides to anyone who asks by opening a local port

Any app with INTERNET permission can access the information and can send data to remote server.

Patch Promised by HTC ..will be firmware OTA update. Till then if you are rooted, remove HtcLogger.apk

AmEx Debug Mode left site wide open, providing access to vulnerable debug tools

Security Issue was noticed by developer Niklas Fermerstand. Difficulties in finding security contact when contacted via

twitter. AmEx responded and shut down debug mode

Newer and more complicated android malware variants are expected to emerge. ANDROIDOS_ANSERVER.A : arrives as a eBook reader app and Uses encrypted

blog posts as C & C.

--theregister, qnrq.se, TrendMicro, bbc. networkworld, fnno.com

News Overview

New Zeus Crimeware toolkit comes with peer-to-peer design. Harder to takedown such botnets as No centralized C & C server which they can

infiltrate or shut down.

Facebook is partnering with Websense to protect its members from malware and malicious web sites.

When Facebook user clicks on a link, it will be checked against Websense database.

if links is malicious, user will be presented a choice to continue or not on his risk.

Security Tools Releases

sshtrix-0.0.2.tar.gz : Very fast Multithreaded SSH Login cracker Malware Analyzer 3.5 : Malware Analyzer is freeware tool to perform static and dynamic

analysis on malwares ExeScan : PE File Anomaly Detector Tool by SecurityXploded Another File Integrity Checker 2.18: another file integrity checker, designed to be fast and

fully portable between Unix and Windows platforms WebCookiesSniffer : Packet sniffer tool displays all cookies in a simple Table form. fbpwn : A cross-platform Java based Facebook social engineering framework Zscaler Like Jacking Prevention : Plugin for browser to keep users safe from Facebook

scams. PuttyHijackV1.0.rar : POC Tool to hijack putty sessions by injecting dll in process. Websecurify :Powerful, cross-platform web security testing technology owasp-wte : OWASP Web Testing Environment. wpscan : Wordpress security scanner

Security Reading

Microsoft Security Intelligence Report (SIR) Volume 11 Best Practices for reporting Badware URLs Post Exploitation Command Lists for Win, Unix, OS X : Excellent Reference for post exploitations This Python has Venom : Symantec blog covering python Trojan Cracking Passwords Version 1.1 Busting Windows in Backtrack 5 : Armitage demo in Backtrack 5 Evading Antimalware Engines via Assembly Ghostwriting Bypassing Windows 7 Kernel ASLR Clubhack Magazine : Oct 2011

Thank You

Comments ,Feedbacks, Suggestions

Twitter : @ashwinpatilLinkedIn : http://in.linkedin.com/in/ashwinrpSlideshare : ashwin_patilhttp://www.slideshare.net/ashwin_patil

R.I.P. Steve jobs and Dennis Ritchie

Photo Credits: Wikipedia