Hacking & Security

Nishang: A Post-Exploitation Framework

InfoSec Institute Resources - 18 Listopad, 2015 - 14:00

Introduction I was recently doing an external penetration test for one of our clients, where I got shell access to Windows Server 2012(Internal WebServer sitting behind an IPS) with Administrative Privileges. It also appears to have an Antivirus installed on the system as everything I was uploading on to the machine was being deleted on […]

The post Nishang: A Post-Exploitation Framework appeared first on InfoSec Resources.

Kategorie: Hacking & Security

Free tool uses Twitter Direct Messages to control hacked computers

Sophos Naked Security - 18 Listopad, 2015 - 13:48
A self-styled security researcher has created a tool called Twittor that uses Twitter Direct Messages as a botnet command-and-control server.

Cyber thief who stole nude images for revenge porn king gets 2 years

Sophos Naked Security - 18 Listopad, 2015 - 13:14
$250 for nude images stolen from "6 guys and 6 girls": that's the kind of fee that Charles "Gary" Evens charged revenge porn king Hunter Moore.

Google VirusTotal – now with autoanalysis of OS X malware

Sophos Naked Security - 18 Listopad, 2015 - 12:00
Google just announced that its virus classification and auto-analysis service, VirusTotal, is now officially interested in OS X malware.

Google’s $85 Chromebit Lets You Turn Any Monitor or TV into a Computer

The Hacker News - 18 Listopad, 2015 - 08:07
Google and Asus are finally ready to release their new micro Chrome OS computer called the Chromebit — that retails at a great price, just $85. That is quite cheap for what is essentially a portable computer that you can take anywhere in your pocket. Also Read: CHIP — The World's First $9 Computer. Announced back in March, the Chromebit is a fully featured Computer-on-a-Stick that
Kategorie: Hacking & Security

Paris Terror Attacks Stoke Encryption Debate

Krebs on Security - 17 Listopad, 2015 - 23:13

U.S. state and federal law enforcement officials appear poised to tap into public concern over the terror attacks in France last week to garner support for proposals that would fundamentally weaken the security of encryption technology used by U.S. corporations and citizens. Here’s a closer look at what’s going on, and why readers should be tuned in and asking questions.

Despite early and widely repeated media reports that the terrorists who killed at least 128 people in Paris used strong encryption to disguise their communications, the evidence of this has failed to materialize. An initial report on Nov. 14 from Forbes titled “Why the Paris ISIS Terrorists Used PlayStation4 to Plan Attacks” was later backpedalled to “How Paris ISIS Terrorists May Have Used PlayStation 4 to Discuss and Plan.” Turns out there was actually nothing to indicate the attackers used gaming consoles to hide their communications; only that they could do that if they wanted to.

Politico ran a piece on Sunday that quoted a Belgian government official saying French authorities had confiscated at least one PlayStation 4 gaming console from one of the attacker’s belongings (hat tip to Insidesources.com).

“It’s unclear if the suspects in the attacks used PlayStation as a means of communication,” the Politico story explained. “But the sophistication of the attacks raises questions about the ability of law enforcement to detect plots as extremists use new and different forms of technology to elude investigators.”

Also on Sunday, The New York Times published a story that included this bit:

“The attackers are believed to have communicated using encryption technology, according to European officials who had been briefed on the investigation but were not authorized to speak publicly. It was not clear whether the encryption was part of widely used communications tools, like WhatsApp, which the authorities have a hard time monitoring, or something more elaborate. Intelligence officials have been pressing for more leeway to counter the growing use of encryption.”

After heavy criticism of the story on Twitter, The Times later removed the story from the site (it is archived here). That paragraph was softened into the following text, which was included in a different Times story later in the day: “European officials said they believed the Paris attackers had used some kind of encrypted communication, but offered no evidence.” To its credit, the Times today published a more detailed look at the encryption debate.

The media may be unwittingly playing into the hands of folks that former NBC reporter Bob Sullivan lovingly calls the “anti-encryption opportunists,” i.e., those who support weakening data encryption standards to make it easier for law enforcement officials to lawfully monitor people suspected of terrorist activity.

The directors of the FBI , Central Intelligence Agency and National Security Agency have repeated warned Congress and the technology community that they’re facing a yawning intelligence gap from smart phone and internet communication technologies that use encryption which investigators cannot crack — even after being granted the authority to do so by the U.S. courts.

For its part, the Obama administration has reportedly backed down in its bitter dispute with Silicon Valley over the encryption of data on iPhones and other digital devices.

“While the administration said it would continue to try to persuade companies like Apple and Google to assist in criminal and national security investigations, it determined that the government should not force them to breach the security of their products,” wrote Nicole Perlroth and David Sanger for The New York Times in October. “In essence, investigators will have to hope they find other ways to get what they need, from data stored in the cloud in unencrypted form or transmitted over phone lines, which are covered by a law that affects telecommunications providers but not the technology giants.”

But this hasn’t stopped proponents of weakening encryption from identifying opportunities to advance their cause. In a memo obtained in August by The Washington PostRobert Litt, a lawyer in the Office of the Director of National Intelligence, wrote that the public support for weakening encryption “could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

To that apparent end, law enforcement officials from Manhattan and the City of London are expected on Wednesday to release a “white paper on smartphone encryption,” during an annual financial crimes and cybersecurity symposium at The Federal Reserve Bank of New York. A media notice (PDF) about the event was sent out by Manhattan District Attorney Cyrus R. Vance Jr., one of the speakers at the event and a vocal proponent of building special access for law enforcement into encrypted communications. Here’s Vance in a recent New York Times op-ed on the need for the expanded surveillance powers.

Critics say any plans designed to build in secret “backdoors” that allow court-ordered access to encrypted communications ultimately would backfire once those backdoors were discovered by crooks and nation states. In her column titled “After Paris Attacks, Here’s What the CIA Director Gets Wrong About Encryption,” Wired.com’s Kim Zetter examines security holes in the arguments for weakening encryption.

The aforementioned Bob Sullivan reminds us that weakening domestic encryption laws would simply ensure that the criminals we wish to monitor use non-US encryption technology:

“For starters, U.S. firms that sell products using encryption would create backdoors, if forced by law.  But products created outside the U.S.?  They’d create backdoors only if their governments required it.  You see where I’m going. There will be no global master key law that all corporations adhere to.  By now I’m sure you’ve realized that such laws would only work to the extent that they are obeyed.  Plenty of companies would create rogue encryption products, now that the market for them would explode.  And of course, terrorists are hard at work creating their own encryption schemes.”

“There’s also the problem of existing products, created before such a law. These have no backdoors and could still be used. You might think of this as the genie out of the bottle problem, which is real. It’s very,  very hard to undo a technological advance.”

“Meanwhile, creation of backdoors would make us all less safe.  Would you trust governments to store and protect such a master key?  Managing defense of such a universal secret-killer is the stuff of movie plots.  No, the master key would most likely get out, or the backdoor would be hacked.  That would mean illegal actors would still have encryption that worked, but the rest of us would not. We would be fighting with one hand behind out backs.”

“In the end, it’s a familiar argument: disabling encryption would only stop people from using it legally. Criminals and terrorists would still use it illegally.”

Where do you come down on this debate, dear readers? Are you taking advantage of the kinds of technologies and services — like Signal, Telegram and Wickr — that use encryption the government says it can’t crack? Sound off in the comments below.

Kategorie: Hacking & Security

Updated Windows privacy policy a little more reassuring

Ars Technica - 17 Listopad, 2015 - 22:10

Windows 10 collects more data and has more cloud connections than any version of Windows before—a design that has many privacy implications. One of the continued complaints around this is a lack of clarity around what gets collected and how it gets used. Ed Bott spotted that the privacy statement, the lengthy document covering all of Microsoft's major online services, was updated in October.

Some of the changes are straightforward corrections or updates to accommodate new service names. Others, however, are a bit more meaningful. For example, on consumer systems the encryption keys used for BitLocker drive encryption by default get backed up to OneDrive online. These enables data recovery in certain situations. The description of this in the privacy statement has been updated to note that "Microsoft doesn't use your individual recovery keys for any purpose" making clear that while the keys may be stored on OneDrive, Microsoft will not use them and is not interested in decrypting your disk.

Another alteration clarifies language that was being misinterpreted. The original privacy statement read that Microsoft "will access [...] your content (such as [...] files in private folders)" in response to law enforcement demands, to ensure safe operation of its services, and a few other situations. This led some to believe that private folders on users' hard disks were vulnerable to inspection and distribution by Microsoft. The new text makes it explicit that only files stored on OneDrive and e-mails stored in Outlook.com are covered by this statement.

Read 2 remaining paragraphs | Comments

Kategorie: Hacking & Security

Adobe Pushes Hotfix for ColdFusion

Threatpost - 17 Listopad, 2015 - 20:45
Adobe patched vulnerabilities in ColdFusion, LiveCycle Data Services and Premiere Clip for iOS.
Kategorie: Hacking & Security

Patched Libpng Vulnerabilities Have Limited Scope

Threatpost - 17 Listopad, 2015 - 19:12
Most applications, including Firefox, are not vulnerable to a pair of memory corruption vulnerabilities patched in the libpng PNG reference library.
Kategorie: Hacking & Security

What is Threat Intelligence and How It Helps to Identify Security Threats

The Hacker News - 17 Listopad, 2015 - 18:47
Simply put, threat intelligence is knowledge that helps you identify security threats and make informed decisions. Threat intelligence can help you solve the following problems:How do I keep up to date on the overwhelming amount of information on security threats…including bad actors, methods, vulnerabilities, targets, etc.? How do I get more proactive about future security threats? How do I
Kategorie: Hacking & Security

Why Algebraic Eraser may be the riskiest cryptosystem you’ve never heard of

Ars Technica - 17 Listopad, 2015 - 17:40

(credit: SecureRF)

A potential standard for securing network-connected pacemakers, automobiles, and other lightweight devices has suffered a potentially game-over setback after researchers developed a practical attack that obtains its secret cryptographic key.

Known as Algebraic Eraser, the scheme is a patented way to establish public encryption keys without overtaxing the limited amounts of memory and computational resources that often constrain so-called Internet of Things (IoT) devices. Developed by scientists from Shelton, Connecticut-based SecureRF, it's similar to the Diffie-Hellman key exchange in that it allows two parties who have never met to securely establish a key over an insecure channel.

The big advantage Algebraic Eraser has had is its ability to work using only a tiny fraction of the power and computing resources required by more traditional key exchanges. Algebraic Eraser has looked so promising that it's an underlying technology in ISO/IEC AWI 29167-20, a proposed International Organization for Standardization specification for securing radio frequency identification-enabled technologies, wireless sensors, embedded systems, and other devices where security is paramount and computing resources are minimal.

Read 13 remaining paragraphs | Comments

Kategorie: Hacking & Security

Kaspersky Security Bulletin. 2016 Predictions

Kaspersky Securelist - 17 Listopad, 2015 - 17:03

 Download PDF version
 Download EPUB


As the year comes to an end, we have an opportunity to take stock of how the industry has evolved and to cast our predictions for the coming years. Taking advantage of a rare global meeting of our GReAT and Anti-Malware Research experts, we tossed ideas into the ring and I have the privilege of selecting some of the more noteworthy and plausible for both the coming year and the long-term future as we foresee it. The outlook for our rapidly evolving field of study is quite thought-provoking and will continue to present us with interesting challenges. By sticking to sober metrics, perhaps we can skip the usual science fiction fear mongering and come to some accurate predictions for both the short- and long-term.

No more APTs

Before you start celebrating, we should point out that we’re referring to the ‘Advanced’ and ‘Persistent’ elements – both of which the threat actors would gladly drop for overall stealth. We expect to see a decrease in the emphasis on persistence, placing a greater focus on memory-resident or fileless malware. The idea will be to reduce the traces left on an infected system and thus avoid detection altogether. Another approach will be to reduce the emphasis on advanced malware. Rather than investing in bootkits, rootkits, and custom malware that gets burned by research teams, we expect an increase in the repurposing of off-the-shelf malware. Not only does this mean that the malware platform isn’t burned upon discovery but it also has the added benefit of hiding the actor and his intentions in a larger crowd of mundane uses for a commercially available RAT. As the shine of cyber-capabilities wears off, return on investment will rule much of the decision-making of state-sponsored attackers – and nothing beats low initial investment for maximizing ROI.

APT: a decrease in the emphasis on persistence, a focus on memory-resident or fileless malware #KL2016Prediction

Tweet The nightmare of ransomware continues

We expect to see the success of Ransomware spread to new frontiers. Ransomware has two advantages over traditional banking threats: direct monetization and relatively low cost per victim. This amounts to decreased interest from well-resourced third-parties such as banks, as well as low levels of reporting to law-enforcement agencies. Not only do we expect ransomware to gain ground on banking trojans but we also expect it to transition into other platforms. Weak attempts at bringing ransomware to mobile (Simplelocker) and Linux (Ransom.Linux.Cryptor, Trojan-Ransom.FreeBSD.Cryptor) have already been witnessed, but perhaps the more desirable target platform is OS X. We expect ransomware to cross the Rubicon to not only target Macs but also charge ‘Mac prices’. Then, in the longer term, there is the likelihood of IoT ransomware, begging the question, how much would you be willing to pay to regain access to your TV programming? Your fridge? Your car?

We expect ransomware to gain ground on banking trojans and to transition into other platforms #KL2016Prediction

Tweet Betting against the house: financial crimes at the highest level

The merging of cybercrime and APT has emboldened financially motivated criminals who have gracefully transitioned from attacking end users to going after the financial institutions themselves. The past year has seen plenty of examples of attacks on point-of-sale systems and ATMs, not to mention the daring Carbanak heist that pilfered hundreds of millions of dollars. In the same vein, we expect cybercriminals to set their sights on novelties like alternate payment systems (ApplePay and AndroidPay) whose increasing rate of adoption should offer a new means of immediate monetization. Another inevitable point of interest is stock exchanges, the true mother lode. While frontal attacks may yield quick payoffs, we mustn’t overlook the possibility of more subtle means of interference, such as going after the black-box algorithms employed in high-frequency trading to ensure prolonged gains with a lower likelihood of getting caught.

Cybercriminals will set sights on novelties like alternate payment systems and stock exchanges #KL2016Prediction

Tweet Attacks on security vendors

As attacks on security vendors rise, we foresee an interesting vector in compromising industry-standard reverse-engineering tools like IDA and Hiew, debugging tools like OllyDbg and WinDbg, or virtualization tools like the VMware suite and VirtualBox. CVE-2014-8485, a vulnerability in the Linux implementation of ‘strings’, presents an example of the vulnerable landscape of nontrivial security research tools that determined attackers may choose to exploit when targeting researchers themselves. In a similar vein, the sharing of freeware research tools through code repositories like Github is an area ripe for abuse, as users will more often than not pull code and execute it on their systems without so much as a glance. Perhaps we should also be casting a suspicious glance towards popular implementations of PGP so eagerly embraced by the infosec community.

We foresee a vector in compromising reverse-engineering, debugging & virtualization tools #KL2016Prediction

Tweet Sabotage, extortion and shame

From dumps of celebrity nudes to the Sony and Ashley Madison hacks and the HackingTeam dump, there has been an undeniable increase in DOXing, public shaming, and extortion. Hacktivists, criminals, and state-sponsored attackers alike have embraced the strategic dumping of private pictures, information, customer lists, and code to shame their targets. While some of these attacks are strategically targeted, some are also the product of opportunism, taking advantage of poor cybersecurity to feign hacker prowess. Sadly, we can only expect this practice to continue to rise exponentially.

Whom do you trust?

Perhaps the scarcest commodity in the current internet age is trust. Abuse of trusted resources will further drive this scarcity. Attackers will continue to enlist open-source libraries and whitelisted resources for malicious purposes. We expect another form of trust to be abused, that of a company’s internal resources: as crafty attackers seek to expand their foothold on an infected network, they may target resources limited to the company intranet such as waterholing Sharepoint, file server, or ADP portals. Perhaps we’ll even witness the furthest extension of the already rampant abuse of trusted certificates as attackers establish an entirely fabricated certificate authority to issue certificates for their malware.

Attackers will enlist open-source libraries and whitelisted resources for malicious purposes #KL2016Prediction

Tweet APT actors down the road

The profitability of cyberespionage has not escaped the attention of our foes and, as we expected, mercenaries have begun populating the scene. This trend will only increase to match the demand for cyber-capabilities by both companies as well as known APT actors looking to outsource less critical tasking without risking their tools and infrastructure. We could float the term ‘APT-as-a-Service’, but perhaps more interestingly we can expect the evolution of targeted attacks to yield ‘Access-as-a-Service’. The latter entails the sale of access to high-profile targets that have already fallen victim to mercenaries.

We'll see members of well-established APT teams potentially coming out of the shadows #KL2016Prediction


Looking further into the future of cyberespionage, we see members of well-established APT teams (‘APT 1%ers’, if you will) potentially coming out of the shadows. This would happen in one of two forms: as part of the private sector with the proliferation of ‘hacking back’, or by sharing their insights with the larger infosec community, perhaps by joining us at conferences to share the other side of the story. In the meantime, we can expect the APT Tower of Babel to incorporate a few more languages.

The future of the Internet

The infrastructure of the internet itself has shown signs of tension and cracks in recent years. Concerns over massive router botnets, BGP hijacking and dampening, DNS attacks en masse, or server-powered DDoSes betray a lack of accountability and enforcement on a global scale. Looking further down the line to long-term predictions, we can consider what the internet might look like if that narrative of a globally connected village continues to wither. We may end up with a balkanized internet divided by national borders. At that point, concerns over availability may come down to attacks on the service junctures that provide access between different sections, or perhaps geopolitical tensions that target the cables that connect large swathes of the internet. Perhaps we’ll even see the rise of a black market for connectivity. Similarly, we can expect that as technologies that power the internet’s underbelly continue to gain mainstream attention and widespread adoption, developers with a stake in shadow markets, exchanges, and forums are likely to develop better technologies to keep the underground truly underground.

The internet's cracked: we may end up with a balkanized internet divided by national borders #KL2016Prediction

Tweet The future of transportation

As investment and high-end research capabilities are dedicated to developing autonomous vehicles for both personal and commercial distribution, we will witness the rise of distributed systems to manage the routes and traffic of large volumes of these vehicles. The attacks may not focus on the distribution systems themselves, but perhaps on the interception and spoofing of the protocols they rely on (a proof of concept of the vulnerabilities of the widely adopted Global Star satcom system was presented by a Synack researcher at this year’s BlackHat conference). Foreseeable intentions behind these attacks include theft of high-value goods or kinetic damage resulting in loss of life.

Crypto: a breakdown in the reliability of standards and a need of 'post-quantum cryptography' #KL2016Prediction

Tweet The cryptopocalypse is nigh

Finally, we cannot overemphasize the importance of cryptographic standards in maintaining the functional value of the internet as an information-sharing and transactional tool of unparalleled promise. These cryptographic standards rely on the expectation that the computational power required to break their encrypted output is simply above and beyond our combined means as a species. But what happens when we take a paradigmatic leap in computational capabilities as promised by future breakthroughs in quantum computing? Though quantum capabilities will not be initially available to the common cybercriminal, it signals a breakdown in the reliability of current crypto-standards and a need to design and implement ‘post-quantum cryptography’. Given the poor rate of adoption or proper implementation of high-quality cryptography as it is, we do not foresee a smooth transition to counterbalance cryptographic failures at scale.

Analyzing a DDoS Trojan

InfoSec Institute Resources - 17 Listopad, 2015 - 14:00

MD5: 67877403db7f8ce451b72924188443f8 Installer: In the main function of the malware, two subroutines are used for checking whether the malware is already installed on the system or not. Registry and file paths are checked If you look, you will see the file installation is syswow64, which is present in 64-bit systems, so this will fails for […]

The post Analyzing a DDoS Trojan appeared first on InfoSec Resources.

Kategorie: Hacking & Security

ISIL, Terrorism and Technology: A Dangerous Mix

InfoSec Institute Resources - 17 Listopad, 2015 - 14:00

Introduction I was watching the Homeland series on TV when I received the news of the dramatic events in Paris. The introduction to this latest episode was explaining that modern terrorists have new weapons in their arsenal – keyboards. Terrorist organizations are increasing their cyber capabilities. They make great use of technology for propaganda, to […]

The post ISIL, Terrorism and Technology: A Dangerous Mix appeared first on InfoSec Resources.

Kategorie: Hacking & Security

Jewish school website defaced with pro-Islam messages

Sophos Naked Security - 17 Listopad, 2015 - 13:25
The homepage of London's Jewish Free School was replaced with a message that showed a balaclava-clad figure, a Tunisian flag and Arabic writing followed by text condemning "terrorism against Muslims".

Feel free to hack your Wi-Fi routers, says FCC

Sophos Naked Security - 17 Listopad, 2015 - 13:24
The Federal Communications Commission put out new guidelines with less muddy wording about open-source firmware.

Single-digit data entry glitch led to plane tailstrike

Sophos Naked Security - 17 Listopad, 2015 - 12:58
Make that *two* glitches: an iPad fat-finger and the pilot forgetting to carry the "1" when calculating takeoff weight on a notepad.

After Paris Attacks, Here's What the CIA Director Gets Wrong About Encryption

LinuxSecurity.com - 17 Listopad, 2015 - 11:35
LinuxSecurity.com: It's not surprising that in the wake of the Paris terrorist attacks last Friday, US government officials would renew their assault on encryption and revive their efforts to force companies to install backdoors in secure products and encryption software.
Kategorie: Hacking & Security

Why the CIA wanting encryption backdoors is a failure of leadership, not intelligence

LinuxSecurity.com - 17 Listopad, 2015 - 11:33
LinuxSecurity.com: It took about three days for the CIA director and former intelligence officials to reignite the debate over the use of encryption, with some speculating that it may have been the reason why French and other Western intelligence agencies were unable to prevent the Paris attack earlier this month.
Kategorie: Hacking & Security

ISIS using encrypted apps for communications; former intel officials blame Snowden [Updated]

LinuxSecurity.com - 17 Listopad, 2015 - 11:31
LinuxSecurity.com: Update: The New York Times has pulled a story it published Monday stating that French officials speaking off the record had said the Paris attackers used encrypted communications to coordinate their attacks with ISIS. Ars will update this story further as more information on the retraction becomes available; our original story, including references to that reporting, is below.
Kategorie: Hacking & Security
Syndikovat obsah