Tuesday, November 30, 2010

Android Data Stealing Vulnerability

Android Browser Flaw Allows Data Theft

A new vulnerability has been discovered in the Android web browser that could allow hackers to steal files stored on the smartphone's SD card.

According to security expert Thomas Cannon, the a flaw automatically allows payload data to be downloaded to the device's SD card. A few tweaks to a JavaScript will allow the files on the SD card to open making the data readable, he said.

Once the JavaScript has stored the contents of the targeted file, it will then post it to the malicious website. He warned that the flaw is present on multiple handsets and multiple Android OS versions. The security expert has posted a
video on his website showing the Android browser exploit in action.

“I notified the Android Security Team on 19-Nov-2010 and to their credit they responded within 20 minutes, took it seriously, and started an investigation into the issue. They have since updated me to say they are aiming for a fix to go into a Gingerbread maintenance release after Gingerbread (Android 2.3) becomes available,” he said

Refer here to read more details.

Monday, November 29, 2010

Taking-control of People's Webcams

Computer genius jailed for hacking webcams

A computer hacker who used his technological-know how to take control of people’s webcams was sentenced to 18 months in prison today.

Matthew Anderson, aged 33, was an important member of a globally-running gang who abused the skills he picked up from his role as an expert in computer security in order to target both businesses and members of the public with spam that contained hidden viruses.

As well as this, he accessed personal data such as photographs in a highly sophisticated email scam run from his the front room of his mother’s house, and took control of random internet users’ webcams in an attempt to see inside their houses and appointments.

While also boasting at one point to a colleague that he had had a teenage girl in tears with his acts, Anderson also saved webcam images of girls in school uniforms, a newborn baby with its mother in hospital and other intimate pictures, some of which were of a sexual nature.

Monday, November 15, 2010

New Android Bug Lets Spoofed Apps Run Wild

Spoofed Android apps can bypass security permissions

Google has always a lot of control over its products in the hands of its users, and Android OS is probably on of the best examples. When downloading an application, the user is shown just what said application needs to run properly. If the user doesn’t want the app to have access to certain things it requires, you simply don’t download it. Well, it seems that isn’t the case anymore, as there’s now a new bug in town, and it doesn’t need your stinkin’ permission.

A new bug found in Android can allow those with malicious intent to make a spoof application that seems harmless, only to find out that it can roam free on your handset, and download other, more dangerous applications to steal your personal data, without any permission by the user. Tricky tricky.

Intel security researchers Jon Oberheide and Zach Lanier have created such an application. It looks harmless – an Angry Birds add-on pack that after downloaded, will install a handful of programs that will track your location, steal your contacts, and give the hacker the option to send pay-per-texts. While this isn’t the first time we’ve seen this kind of hack attack, it will certainly be unsettling to most users, especially if this bug isn’t fixed pronto.

Refer here to read more details on Forbes.

Saturday, November 13, 2010

Android on the iPhone?

Install Android 2.2 on the iPhone 2G and 3G over WiFi

Hackers have come up with a way of rescuing Apple fanboys who have elderly versions of the iPhone.

For a while now Jobs' Mob has been forcing its long suffering customers to upgrade their 2G and 3G phones to the broken iPhone 4 by saddling them with an upgrade which made their gizmos slower. Now Redmond Pie has come up with a method of replacing iOS on iPhone 2G and 3G models with Android 2.2 Froyo without using any tools on a host computer.

The outfit had shown off an Android installation before. This involved running iPhoDroid on a host computer connected to a jailbroken iPhone 2G or 3G. This new process uses Bootlace 2.1 to install Android directly via WiFi. It works on iPhone 2Gs with iOS 3.1.2 and 3.1.3 and iPhone 3Gs with 3.1.2, 3.1.3, 4.0, 4.0.1, 4.0.2 and 4.1.

Refer here to read more details.

Thursday, November 11, 2010

Beware - New, Improved Trojans Target Banks

Malware Variants Seek Corporate Accounts

Security researchers are warning financial institutions about the Qakbot Trojan, a rare kind of malware that is allegedly infiltrating large banks and other global financial institutions. It's unlike other types of malware because it has the ability to spread like a worm, but still infect users like a Trojan.

The Qakbot Trojan, named for its primary executable file, _qakbot.dll, is not new, but its qualities and difference in attack set it head and shoulders above other more well-known Trojans, such as Zeus, in that it can infect multiple computers at a time.

In another disturbing find, security researchers at TrustDefender Labs have found a new Gozi Trojan variant that shows a zero percent detection rate. The Trojan targets financial institutions and is invisible to the most used anti-virus software.

Gozi has been attacking banks for three years, but has managed to stay low and undetected. TrustDefender researchers warn that by targeting specific financial institutions, mainly business and corporate banking, Gozi has avoided wider attention from businesses as the Zeus Trojan has grabbed the headlines.

The new Gozi variant has many of the same characteristics of its earlier variants that were researched a year ago. Gozi developers evade signature patterns so much that the history of the Trojan is mostly unknown. TrustDefender's CTO Andreas Baumhof states that an increasing number of Trojans are using SSL and HTTPS to hide their presence. Gozi is also using client-side logic to go around two-factor authentication, as are other Trojans including Zeus, Spyeye and Carberp.

Wednesday, November 10, 2010

Pen-Testing: Learn your target, Understand your target, Develop your attack specifically around your target

Would it cripple the organization as a whole? What hurts them the most?

Since when did a penetration test primarily become automated tool driven? Scanners are an aid but not a full supplemental for us as penetration testers.

Handing a sixty page 'penetration test' report with five hundred vulnerabilities does absolutely nothing for a company aside from a check mark for whatever regulatory and compliance initiatives they have underway. It's time for a reality check:
  • Good hackers don't need to utilize expensive vulnerability scanners.

  • Good hackers don't use automated penetration testing.

  • Attackers don't have a scope or timeframes.

  • Attackers don't stop after they get root.

  • Attackers don't have portions taken out of scope.
The reality of the current situation with pentests is that the true purpose of a testing is completely wasted. For one, your incident response team doesn't get a true attack against a focused attack. If you are at the point where you can't detect automated scans against your network then these traditional methods are right up your alley and your security program is still immature in nature which is fine, you'll get there. The most important element is there is no true representation of impact or financial loss due to a breach.

In simplistic terms there's no focus on business risk, but instead focused on the vulnerability and the exposure of the attack. We aren't hitting companies where it hurts, what makes their business run.

Penetration testing has to be something that measures the organizations business risk and impact if a breach were to occur. When attacking an organization you have to understand what is sensitive and what hurts the company the most. Intelligence gathering is one of the most important elements of a penetration test as well as understanding and learning the network.

Learn your target, understand your target, develop your attack specifically around your target, nothing is out of scope.

Where can I have the most impact on the organization and how do I represent that? WOW I GOT DOMAIN ADMIN!!!!!! OMG I GOT ROOT! That's fantastic buddy, I'm happy for you but that doesn't mean squat to me. Present them with their intellectual property, future projections, show the ability to change their product, confidential and trade secret information or whatever you identify as what hurts them the most. Some questions to answer in Pen-testing includes but not limited to: would that impact them in a negative manner? Would it cripple the organization as a whole? What hurts them the most?

We're also significantly challenged with the basic penetration tests, how do you go against a cheap vulnerability scan penetration test to something that will cost significantly more than that and be done right. Businesses don't understand the difference, they just go with the cheapest buyer, they don't know what they are about to purchase sucks.

We need to hire qualified people that get it, I will pay extra for a group that knows what they are doing vs. a super cheap scan. The industry is bleeding, let's step it up and do it the right way.

Monday, November 8, 2010

SCADA security issues will be the shiny hot topic

Metasploit and SCADA Exploits: Dawn of a New Era?

On 18 October, 2010 a significant event occurred concerning threats to SCADA.

That event is the addition of a zero-day exploit for the RealFlex RealWin SCADA software product into the Metasploit repository.

Some striking facts about this event follow:

  1. This was a zero-day vulnerability that unfortunately was not reported publicly, to a organization like ICS-CERT or CERT/CC, or (afaik) to the RealFlex vendor.

  2. This exploit was not added to the public Exploit-DB site until 27 October, 2011.

  3. The existence of this exploit was not acknowledged with a ICS-CERT advisory until 1 November, 2010.

  4. This is the first SCADA exploit added to Metasploit.
Shawn Medinger at InfoSec Island shared some interesting thoughts:

First, the SCADA community can expect to see an explosion of vulnerabilities and accompanying exploits against SCADA devices in the near future.

Second, the diverse information sources that SCADA vulnerabilities may appear must be vigilantly monitored by numerous organizations and security researchers.

Afaik, the first widely-disseminated information on the RealFlex RealWinbuffer overflow occurred on 1 November, when I sent the information to the SCADASEC mailing list.

Third, people should recognize that the recent Stuxnet threat has cast a light on SCADA security issues. Put bluntly, there is blood in the water.

Quite a few people, companies and other organizations are currently investigating SCADA product security, buying equipment and conducting security testing for a number of differing interests and objectives.

Fourth, understand that because of the current broken business model, security researchers are often frustrated by software vendors’ action, or inaction, when it comes to reporting vulnerabilities.

Often, there is no security point-of-contact at the vendor. Even worse, the technical support who are contacted by the security researcher often do not understand the technical and security implications of the issue reported.

Even in the case of specialty SCADA security shops reporting vulnerabilites to the vendor, we are seeing documented cases of “vendor spin” furthering the bad blood between vendors and ethical research.

All of these factors lead to frustrated security researchers, some of whom will simply expose the vulnerability and exploit to the world, rather than take a disclosure path through a CERT.

Fifth, folks should recognize that attack frameworks like Metasploit enable a never-before-seen level of integration of these kinds of targeted critical infrastructure-relate exploits into a powerful tool.

Roger on Stuxnet

Stuxnet talks – do we listen?

Stuxnet is a severe threat – that’s something we know for sure. But if we look at it, what do we really know? What can we learn?

Let’s start from the beginning. As soon as Stuxnet hit the news, it was interesting to see, what was happening. There was a ton of speculation out there about the source and the target of the worm, especially since it hit mass-media. It is obvious that this is a story that is interesting for a broad audience – however, we security professionals need different sources.

Refer here to read an interesting view on Stuxnet from Roger Halbheer.

Wednesday, November 3, 2010

'Shodan' - Computer Search Engine: Pinpoints shoddy industrial controls

Hackers tap SCADA vulnerabilities search engine

A search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering, the US Computer Emergency Readiness Team has warned.

The year-old site known as
Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. As white-hat hacker and Errata Security CEO Robert Graham explains, the search engine can also be used to identify systems with known vulnerabilities.

According to the Industrial Control Systems division of US CERT, that's exactly what some people are doing to discover poorly configured SCADA gear. “The identified systems range from stand-alone workstation applications to larger wide area network (WAN) configurations connecting remote facilities to central monitoring systems,” the group wrote in an advisory (PDF) published on Thursday. “These systems have been found to be readily accessible from the internet and with tools, such as Shodan, the resources required to identify them has been greatly reduced.”

Besides opening up industrial systems to attacks that target unpatched vulnerabilities, the information provided by Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults, CERT warned. The organization advised admins to tighten security by:
  • Placing all control systems assets behind firewalls, separated from the business network
  • Deploying secure remote access methods such as Virtual Private Networks (VPNs) for remote access
  • Removing, disabling, or renaming any default system accounts (where possible)
  • Implementing account lockout policies to reduce the risk from brute forcing attempts
  • Implementing policies requiring the use of strong passwords
  • Monitoring the creation of administrator level accounts by third-party vendors
Refer here to read more details.