Ashwin PatilGCIH,RHCE,CCNA

2+ in Infosec

NewsBytes Aug-Sept

Announcements

Malcon 2011 : Call for Paper http://malcon.org/cfp/Venue: Mumbai , Nov -2011

CFP for nullcon 2012 (Tritiya) is open!!!http://nullcon.net/cfp-nullcon/Venue : Goa, Feb -2012

Coconhttp://www.informationsecurityday.com/c0c0n/Venue: Cochin (Kochi), 7 and 8 Oct -2011

Stop reading and Patch your Browser first

DigiNotar is a Dutch Certificate Authority. They sell SSL certificates. Also works with govt on its PKI implementations Certificate Authority (CA):: Issues Digital certificates a.k.a Trusted third Party Breach discovered in CA infrastructure Damage : Issued fraud certificates for nearly 531 domains List Includes :

*.*.com *.microsoft.com Comodo Root CA Globalsign Root CA*.*.org *.mozilla.org Cybertrust Root CA Thawte Root CA*.google *.torproject.org Digicert Root CA Verisign Root CAlogin.live.com login.yahoo.com Equifax Root CA addons.mozilla.orgtwitter.com *.skype.com www.update.micsrosoft.com

Browsers : Mozilla, Chrome,IE and Safari – Pulled it from CA store in latest versions

-- Fsecure ,threatpost blogs

Don’t want to break add ons ..

-- Mozilla Blog

who and How ?

Called himself Comodohacker : Claimed the attack via Pastebin Twitter Account : @ichsunx2

Fox-It Security Firm AuditOperation Black Tulip Incident Report revealed:

No secure central network logging is in place. All CA [Certificate Authority] servers : Members of one Windows

domainPossible to access them all using one obtained user/password combination. The [domain] password was not very strong and could easily be brute-forced.

Strong indications that the CA-servers were accessible over the network from the management LAN.

The software installed on the public web servers was outdated and not patched.

No antivirus protection was present on the investigated servers.

Domain admin Password of CA network shared by Comodohacker: Pr0d@dm1n

-- SANS isc diary, pastebin

Hushhh Nothing left to trust ?

Dutch Regulator Bars DigiNotar From Issuing Qualified Certificates

Avg. browser trust more than 600 CAs , bad history of not doing their job correctly

Blackhat/Defcon talk:: SSL and the Future of AuthenticityBy Moxie Marlinspike:Talk about replacing CA infrastructureIssue with SSL : Authencity Idea : Download the presented SSL certificate directly and then ask a series of trusted notaries to download the certificate and give it to you as well.

Convergence : Browser Addon. http://convergence.io/

--Threatpost

Who is reading the email that you just sent

Peter Kim and Garret Gee of the Godai Group – Paper about doppelganger domains Doppelganger Domains: Register a domain that`s like your target except for a typo. Over 6 months – Grabbed 1,20,00 emails - 20 GB of data from fortune 500 companiesEmail with sensitive info sent with typo or missing dot landed in wrong hands Domain MITM : Set up email servers on typosquated domain and relay mail to correct recepient. Targetted Attacks - APTe.g. Orgn: Email domain-> mail.bank.com, Typosquatted registered domain: mailbank.com

-- wired, tekblog

List of companies (in red) whose sub domains potentially vulnerable to attack

--Wired

What you see is not what you get

New trick to cloak malicious files by disguising file extensionsExploit named: Unitrix by Avast softwareAbuses unicode for right to left languages Exploit uses a hidden code (U+202E) that overrides right-to-left characters to display an executable file as something entirely different.e.g. making jpg.exe to look safer like Photo_D18727_Collexe.jpg Do not open attachment from unknown sources even if they look safer. IE 9 – Application Reputation : Warns users of potentially dangerous files downloaded from internet.

-- Avast Blogs

Morto : RDP Worm

Infects Windows workstation and server with new spreading vector : RDP Once infected, starts scanning local network for machines with RDP enabled Try logging in with Administrator through list of common passwords Copy itself to target machines via windows shares

Monitor traffic spike in logs on port 3389.

-- Sectechno

Mobile Phone monitoring service found

Chinese website offers mobile phone monitoring tools and services to customers access to the site’s backend to retrieve information.Not so cheap - cost from US$300–540. User must first sent an MMS with malware as an attachment to victim Once Installed, reports about activities will be sent to backend service which can be accessed by customer through portal. Currently for Symbian and windows mobile users, can be provided to android users with NICKISPY malware. NICKISPY android malware: Monitors SMS, phone calls , locations, email messages.

-- Trendmicro

Linux Breaches

Attackers have compromised a number of servers at kernel.org that house the Linux kernel source code and were able to modify a number of files and log user activity on the machines Inserted a Trojan startup file into the startup scripts rc3.d on one of the servers so that it would run whenever the machine was started. Files belonging to ssh (openssh, openssh-server and openssh-clients) were modified. Kernel source code repositories are not affected Week later linux.com, linuxfoundation.org taken offline due to a security breach

-- h-online,linux.com

Life After Anonymous

Interview with the former Hacker @SparkyBlaze from Anonymous crew Taken by Cisco employee who runs @CiscoSecurity twitter account Biggest Issue : Social Engineering

“ It all comes down to lies, everyone does it and some people get good at it.”

Advice : Stay away from Black Hat hacking .

-- Cisco security Blogs

awmproxy.net- Provides anonymisation proxies rent computers infected with the TDL4 Bot for use.

Downloaded utorrent client between 4:10 am to 6:20 am Pacific time on 13th sept- You Are INFECTED with malwareWeb server compromised, replaced windows executable with malware

Mebromi- new Rootkit discovered by Chinese AV vendor 360 targetting mainly Award BIOS users. Persists even if harddrive is physically replaced.Package :: BIOS Rootkit + MBR Rootkit + Kernel mode rootkit + PE File infector + Trojan downloader

DeepSafe : Hardware assisted security products Provides trusted view of system event below OS Will embed within ESXi, Xen, KVM and Hyper-V hyperwisors too

--theregister, softpedia, h-online news, webroot.com

News Overview

First Zeus trojan and now Spyeye trojan infected android mobiles found. Malware masquerades as a security app and can intercept incoming SMS text messages. Don’t exploit vuln in device, user have to manually download and install the app to get infected

-- h-online news, foxnews, zscaler, theregister

News Overview

Another update to Apache due to byte range flaw, version 2.2.21 Version 2.2.20 fixeds DoS vulnerability Apache Killer tool vulnerability was released to exploit DoS.

Windows 8 demonstrated at Microsoft's BUILD conference. Picture passwords, faster boot time, built in AV, boot from usb flash drive and new friendlier blue screen of death Developer preview is available free for download

Free t-shirt facebook scam takes advantage of email upload Uses users fb email address to upload content from mobile devices

QR Tags Can Be Rigged To Attack Smartphones PoC hack showed scanning QR code with embedded URL directed to spoofed site and fed malware.

Security Tools Overview

OWASP-GoatDroid : Training environment for exploring Android mobile application security

DroidBox: Sandbox for Android platform Dynamic analysis of android applications

APKInspector : Static analysis for Android platform AnDOSid : DOS Tool for Android OWADE (Offline Windows Analyzer and Data Extractor) : Cloud based forensics Threat Modeling Tool v3.1.8, MiniFuzz Tool v1.5.5, RegExFuzz Tool

v1.1.0 : Updated SDL tools by Microsoft

Data-sound-poc : Exfilterate data out of network over a voice connection fuzzdb : Open Source database of malicious and malformed input test cases. OSForensics : OS Forensics tool for digital investigations. minibis : Automated malware analysis based on paper

"Mass Malware Analysis: A Do-It-Yourself Kit“ WebSurgery : Web Application Security Testing Suite

Security Reading

Understanding and Selecting SIEM/Log Management (PDF) How Microsoft Develops Security Patches Google Report: How Web Attackers Evade Malware Detection Dissecting Andro Malware A summary of PDF tricks : data encodings, JavaScript, or PDF structure Clubhack Magazine : Sept 2011 : Theme – Malware

Thank You

Comments ,Feedbacks, Suggestions

Twitter : @ashwinpatilLinkedIn : http://in.linkedin.com/in/ashwinrp