Hacking & Security

Latest Windows UAC Bypass Permits Code Execution

Threatpost - 15 Srpen, 2016 - 21:35
Researcher Matt Nelson disclosed another Windows UAC bypass, one that makes use of Event Viewer to hijack registry entries and run code.
Kategorie: Hacking & Security

Linux bug leaves 1.4 billion Android users vulnerable to hijacking attacks

Ars Technica - 15 Srpen, 2016 - 20:25

(credit: Ron Amadeo)

An estimated 80 percent of Android phones contain a recently discovered vulnerability that allows attackers to terminate connections and, if the connections aren't encrypted, inject malicious code or content into the parties' communications, researchers from mobile security firm Lookout said Monday.

As Ars reported last Wednesday, the flaw first appeared in version 3.6 of the Linux operating system kernel, which was introduced in 2012. In a blog post published Monday, Lookout researchers said that the Linux flaw appears to have been introduced into Android version 4.4 (aka KitKat) and remains present in all future versions, including the latest developer preview of Android Nougat. That tally is based on the Android install base as reported by statistics provider Statista, and it would mean that about 1.4 billion Android devices, or about 80 percent of users, are vulnerable.

"The tl;dr is for Android users to ensure they are encrypting their communications by using VPNs, [or] ensuring the sites they go to are encrypted," Lookout researcher Andrew Blaich told Ars. "If there's somewhere they're going to that they don't want tracked, always ensure they're encrypted."

Read 5 remaining paragraphs | Comments

Kategorie: Hacking & Security

20 hotels suffer hack costing tens of thousands their credit card information

Ars Technica - 15 Srpen, 2016 - 20:10

(credit: HEI Hotels & Resorts)

The chain that owns Starwood, Marriott, Hyatt, and Intercontinental hotels—HEI Hotels & Resorts—said this weekend that the payment systems for 20 of its locations had been infected with malware that may have been able to steal tens of thousands of credit card numbers and corresponding customer names, expiration dates, and verification codes. HEI claims that it did not lose control of any customer PINs, as they are not collected by the company’s systems.

Still, HEI noted on its website that it doesn’t store credit card details either. “We believe that the malware may have accessed payment card information in real-time as it was being inputted into our systems,” the company said.

The breach appears to have hit 20 HEI Hotels, and in most cases, the malware appears to have been active from December 2, 2015 to June 21, 2016. In a few cases, hotels may have been affected as early as March 1, 2015. According to a statement on HEI’s website, the malware affected point-of-sale (POS) terminals at the affected properties, but online booking and other online transactions were not affected.

Read 4 remaining paragraphs | Comments

Kategorie: Hacking & Security

Westin, Marriott, Sheraton Hotels Hit By Payment Card Malware

Threatpost - 15 Srpen, 2016 - 18:57
Twenty hotels belonging to HEI Hotels and Resorts have been implicated in a data breach that may have leaked payment data from tens of thousands point of sale purchases.
Kategorie: Hacking & Security

Tech support scammer tricked into installing ransomware

Sophos Naked Security - 15 Srpen, 2016 - 18:57
Tables were turned on a fake tech support line when a tech-savvy 'victim' played them at their own game.

Guided in-process fuzzing of Chrome components

Google Security Blog - 15 Srpen, 2016 - 18:54
Posted by Max Moroz, Chrome Security Engineer and Kostya Serebryany, Sanitizer Tsar

In the past, we’ve posted about innovations in fuzzing, a software testing technique used to discover coding errors and security vulnerabilities. The topics have included AddressSanitizer, ClusterFuzz, SyzyASAN, ThreadSanitizer and others.

Today we'd like to talk about libFuzzer (part of the LLVM project), an engine for in-process, coverage-guided, white-box fuzzing:

  • By in-process, we mean that we don’t launch a new process for every test case, and that we mutate inputs directly in memory.
  • By coverage-guided, we mean that we measure code coverage for every input, and accumulate test cases that increase overall coverage.
  • By white-box, we mean that we use compile-time instrumentation of the source code.

LibFuzzer makes it possible to fuzz individual components of Chrome. This means you don’t need to generate an HTML page or network payload and launch the whole browser, which adds overhead and flakiness to testing. Instead, you can fuzz any function or internal API directly. Based on our experience, libFuzzer-based fuzzing is extremely efficient, more reliable, and usually thousands of times faster than traditional out-of-process fuzzing.
Our goal is to have fuzz testing for every component of Chrome where fuzzing is applicable, and we hope all Chromium developers and external security researchers will contribute to this effort.
How to write a fuzz target
With libFuzzer, you need to write only one function, which we call a target function or a fuzz target. It accepts a data buffer and length as input and then feeds it into the code we want to test. And... that’s it!
The fuzz targets are not specific to libFuzzer. Currently, we also run them with AFL, and we expect to use other fuzzing engines in the future.
Sample Fuzzer

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
 std::string buf;
 woff2::WOFF2StringOut out(&buf);
 out.SetMaxSize(30 * 1024 * 1024);
 woff2::ConvertWOFF2ToTTF(data, size, &out);
 return 0;
See also the build rule.
Sample Bug

==9896==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62e000022836 at pc 0x000000499c51 bp 0x7fffa0dc1450 sp 0x7fffa0dc0c00WRITE of size 41994 at 0x62e000022836 thread T0SCARINESS: 45 (multi-byte-write-heap-buffer-overflow)    #0 0x499c50 in __asan_memcpy    #1 0x4e6b50 in Read third_party/woff2/src/buffer.h:86:7    #2 0x4e6b50 in ReconstructGlyf third_party/woff2/src/woff2_dec.cc:500    #3 0x4e6b50 in ReconstructFont third_party/woff2/src/woff2_dec.cc:917    #4 0x4e6b50 in woff2::ConvertWOFF2ToTTF(unsigned char const*, unsigned long, woff2::WOFF2Out*) third_party/woff2/src/woff2_dec.cc:1282    #5 0x4dbfd6 in LLVMFuzzerTestOneInput testing/libfuzzer/fuzzers/convert_woff2ttf_fuzzer.cc:15:3

Check out our documentation for additional information.

Integrating LibFuzzer with ClusterFuzz

ClusterFuzz is Chromium’s infrastructure for large scale fuzzing. It automates crash detection, report deduplication, test minimization, and other tasks. Once you commit a fuzz target into the Chromium codebase (examples), ClusterFuzz will automatically pick it up and fuzz it with libFuzzer and AFL. 

ClusterFuzz supports most of the libFuzzer features like dictionaries, seed corpus and custom options for different fuzzers. Check out our Efficient Fuzzer Guide to learn how to use them.

Besides the initial seed corpus, we store, minimize, and synchronize the corpora for every fuzzer and across all bots. This allows us to continuously increase code coverage over time and find interesting bugs along the way.

ClusterFuzz uses the following memory debugging tools with libFuzzer-based fuzzers:
  • AddressSanitizer (ASan): 500 GCE VMs
  • MemorySanitizer (MSan): 100 GCE VMs
  • UndefinedBehaviorSanitizer (UBSan): 100 GCE VMs

Sample Fuzzer Statistics

It’s important to track and analyze performance of fuzzers. So, we have this dashboard to track fuzzer statistics, that is accessible to all chromium developers:

Overall statistics for the last 30 days:
  • 120 fuzzers
  • 112 bugs filed
  • Aaaaaand…. 14,366,371,459,772 unique test inputs!

Analysis of the bugs found so far
Looking at the 324 bugs found so far, we can say that ASan and MSan have been very effective memory tools for finding security vulnerabilities. They give us comparable numbers of crashes, though ASan crashes usually are more severe than MSan ones. LSan (part of ASan) and UBSan have a great impact for Stability - another one of our 4 core principles.

Extending Chrome’s Vulnerability Reward Program
Under Chrome's Trusted Researcher Program, we invite submission of fuzzers. We run them for you on ClusterFuzz and automatically nominate bugs they find for reward payments.
Today we're pleased to announce that the invite-only Trusted Researcher Program is being replaced with the Chrome Fuzzer Program which encourages fuzzer submissions from all, and also covers libFuzzer-based fuzzers! Full guidelines are listed on Chrome’s Vulnerability Reward Program page.
Kategorie: Hacking & Security

Windows system call tables updated, refreshed and reworked

j00ru//vx tech blog - 15 Srpen, 2016 - 15:07

Those of you interested in the Windows kernel-mode internals are probably familiar with the syscall tables I maintain on my blog: the 32-bit and 64-bit listings of Windows system calls with their respective IDs in all major versions of the OS, available here (and are also linked to in the left menu):

After a few years of inactivity in this area, I’ve found some time to update and thoroughly refresh the tables. The changelog is as follows:

  1. Added information from Windows Server 2003 (R2, R2 SP2), Windows Server 2008 (R2, R2 SP1), Windows Server 2012 (R2) and Windows 10 (1507, 1511, 1607).
  2. Clarified some versions of Windows, resulting in removing non-existent Windows Server 2008 SP1 (32-bit), Windows XP SP0 (64-bit), Windows Server 2003 SP1 (64-bit), Windows Server 2008 SP1 (64-bit).
  3. Removed empty columns with missing information from the win32k 32-bit table.
  4. Performed a major clean up of the lists, resolving all syscall handler collisions and renaming invalid symbols (e.g. “FsRtlSyncVolumes”) stemming from compiler optimizations to their correct form. From now on, all system calls are represented by their real names starting with “Nt”.
  5. Unified the layout of NT and win32k tables.
  6. Added more granular information to the win32k 64-bit table (accounting for all service packs and major releases).
  7. Fixed HTML syntax errors and improved JavaScript code formatting.

I hope the tables keep proving useful for Windows researchers interested in those interfaces. :-) And of course, all comments, suggestions and bug reports are highly appreciated!

The World Series of Hacking—without humans

Ars Technica - 15 Srpen, 2016 - 15:00

LAS VEGAS—On a raised floor in a ballroom at the Paris Hotel, seven competitors stood silently. These combatants had fought since 9:00am, and nearly $4 million in prize money loomed over all the proceedings. Now some 10 hours later, their final rounds were being accompanied by all the play-by-play and color commentary you'd expect from an episode of American Ninja Warrior. Yet, no one in the competition showed signs of nerves.

To observers, this all likely came across as odd—especially because the competitors weren't hackers, they were identical racks of high-performance computing and network gear. The finale of the Defense Advanced Research Projects Agency's Cyber Grand Challenge, a DEFCON game of "Capture the Flag," is all about the "Cyber Reasoning Systems"(CRSs). And these collections of artificial intelligence software armed with code and network analysis tools were ready to do battle.

Inside the temporary data center arena, referees unleashed a succession of "challenge" software packages. The CRSs would vie to find vulnerabilities in the code, use those vulnerabilities to score points against competitors, and deploy patches to fix the vulnerabilities. Throughout the whole thing, each system had to also keep the services defined by the challenge packages up and running as much as possible. And aside from the team of judges running the game from a command center nestled amongst all the compute hardware, the whole competition was untouched by human hands.

Read 43 remaining paragraphs | Comments

Kategorie: Hacking & Security

The Biometric Technologies of the Future

InfoSec Institute Resources - 15 Srpen, 2016 - 14:00

Introduction Overview of the Previous Article Our last article reviewed what Multimodal Biometric Solutions are all about, and what the implications are for deploying such a type of security system. Essentially, this type of configuration involves implementing two or more Biometric modalities in such a fashion that it provides multiple layers of security for the […]

The post The Biometric Technologies of the Future appeared first on InfoSec Resources.

Kategorie: Hacking & Security

Hardware Hacking for IoT Devices – Offensive IoT Exploitation

InfoSec Institute Resources - 15 Srpen, 2016 - 14:00

Welcome to the 4th post in the Offensive IoT Exploitation series. In the previous posts, we have discussed Firmware based exploitation for IoT devices. In this post, we are going to cover about various aspect of IoT device security, focusing solely on the hardware side of things. Whenever we look at any embedded device, there […]

The post Hardware Hacking for IoT Devices – Offensive IoT Exploitation appeared first on InfoSec Resources.

Kategorie: Hacking & Security

Virus nakazil statisíce mobilů. Kyberzločinci zneužívají populární aplikaci Prisma

Novinky.cz - bezpečnost - 15 Srpen, 2016 - 13:48
Prisma je bezesporu jednou z nejpopulárnějších mobilních aplikací letošního léta. Toho si všimli také počítačoví piráti, kteří začali internetem šířit její podvodné verze. Nachytat se nechaly statisíce lidí, uvedli bezpečnostní experti antivirové společnosti Eset.
Kategorie: Hacking & Security

The World Series of Hacking-without humans

LinuxSecurity.com - 15 Srpen, 2016 - 13:12
LinuxSecurity.com: On a raised floor in a ballroom at the Paris Hotel, seven competitors stood silently. These combatants had fought since 9:00am, and nearly $4 million in prize money loomed over all the proceedings. Now some 10 hours later, their final rounds were being accompanied by all the play-by-play and color commentary you'd expect from an episode of American Ninja Warrior. Yet, no one in the competition showed signs of nerves.
Kategorie: Hacking & Security

A New Wireless Hack Can Unlock 100 Million Volkswagens

LinuxSecurity.com - 15 Srpen, 2016 - 13:11
LinuxSecurity.com: In 2013, when University of Birmingham computer scientist Flavio Garcia and a team of researchers were preparing to reveal a vulnerability that allowed them to start the ignition of millions of Volkswagen cars and drive them off without a key, they were hit with a lawsuit that delayed the publication of their research for two years.
Kategorie: Hacking & Security

Undocumented SNMP String Exposes Rockwell PLCs to Remote Attacks

LinuxSecurity.com - 15 Srpen, 2016 - 13:10
LinuxSecurity.com: An undocumented SNMP community string has been discovered in programmable logic controllers (PLCs) built by Allen-Bradley Rockwell Automation that exposes these devices deployed in a number of critical industries to remote attacks.
Kategorie: Hacking & Security

Russian Hackers Hit Oracle's MICROS POS

LinuxSecurity.com - 15 Srpen, 2016 - 13:09
LinuxSecurity.com: Russian hackers have compromised a customer support portal for Oracle's MICROS point-of-sale (POS) systems and accessed user names and passwords, KrebsOnSecurity's Brian Krebs reports.
Kategorie: Hacking & Security

New Banking Malware Touts Zeus-Like Capabilities

LinuxSecurity.com - 15 Srpen, 2016 - 13:08
LinuxSecurity.com: Financial institutions could be in for more trouble of the Zeus-like variety if a new malware kit being promoted in an underground forum is any indication.
Kategorie: Hacking & Security

How to tell the “real” @realDonaldTrump, and why it’s a security lesson for us all

Sophos Naked Security - 15 Srpen, 2016 - 12:59
The "real" @realDonaldTrump, as opposed to much calmer tweets from what's apparently his staff.

Good morning Android!

Kaspersky Securelist - 15 Srpen, 2016 - 12:13

This morning, we encountered a gratuitous act of violence against Android users. By simply viewing their favorite news sites over their morning coffee users can end up downloading last-browser-update.apk, a banking Trojan detected by Kaspersky Lab solutions as Trojan-Banker.AndroidOS.Svpeng.q. There you are, minding your own business, reading the news and BOOM! – no additional clicks or following links required. And be careful – it’s still out there!

Download of a malicious application while viewing a news site using AdSense

It turns out the malicious program is downloaded via the Google AdSense advertising network. Be warned, lots of sites use this network – not just news sites – to display targeted advertising to users. Site owners are happy to place advertising like this because they earn money every time a user clicks on it. But anyone can register their ad on this network – they just need to pay a fee. And it seems that didn’t deter the authors of the Svpeng Trojan from pushing their creation via AdSense. The Trojan is downloaded as soon as a page with the advert is visited.

A similar case was registered in mid-July by the Meduza news portal. As a result, they disabled advertising from AdSense on their pages. At that time the technique was used to distribute an earlier version of the Trojan.

Screenshot from the Meduza news site (https://new.vk.com/wall-76982440_659517)

The Svpeng family of banking Trojans has long been known to Kaspersky Lab and possesses a standard set of malicious functions. After being installed and launching, it disappears from the list of installed apps and requests the device’s admin rights (to make it harder for antivirus software or the user to remove it). Svpeng can steal information about the user’s bank cards via phishing windows, intercept, delete, and send text messages (this is necessary for attacks on remote banking systems that use SMS as a transport layer). Also, the malware can counteract mobile security solutions that are popular in Russia by completeing their processes.

In addition, Svpeng collects an impressive amount of information from the user’s phone – the call history, text and multimedia messages, browser bookmarks and contacts.

Be careful and use antivirus solutions!

Special thanks to our colleague Stanislav Zaytsev for the video.

On August 15, a Meduza representative reported that their problem with AdSense had been resolved and the news site was no longer infected.

Safer Gmail: more warnings against fakes, phishers, and spoofers

Sophos Naked Security - 15 Srpen, 2016 - 12:08
Google is toughening up Gmail's safeguards to make email just a little bit safer.

Monday review – the hot 23 stories of the week

Sophos Naked Security - 15 Srpen, 2016 - 11:22
From the Nigerian scammer infected with malware to the US judge's warning that Tor can be "cracked like eggshells", and much more!
Syndikovat obsah