Kategorie

  Indicators of compromise or IOCs are evidence indicating a breach of security. IOC includes virus signature, IP address, Hash value of Malware, Malicious URL and Domains, C2 servers, etc. Documenting and monitoring of these IOCs help organizations to react proactively to overcome security breaches. Mismatch Port – Application Traffic is one of the top […]

The post Threat Hunting for Mismatched Port – Application Traffic appeared first on InfoSec Resources.

Threat Hunting for Mismatched Port – Application Traffic was first posted on August 10, 2018 at 1:00 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Despite increased user awareness, phishing remains one of the biggest security threats to the enterprise. Of 1,450 data breach incidents in 2017, Verizon found that the majority — 1,192 — involved phishing, and email was the most common vector used (in 96 percent of incidents). Consumers are not off the hook either, even if they […]

The post The 6 Latest Phishing Emails to Avoid in 2018 appeared first on InfoSec Resources.

The 6 Latest Phishing Emails to Avoid in 2018 was first posted on August 10, 2018 at 12:30 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Researchers crack voice authentication systems by recreating any voice using under ten minutes of sample audio.

Earning your PMP certification can increase your earnings by as much as 20 percent. A Project Management Professional (PMP) certification proves to employers that you know what it takes to manage projects efficiently, within budget and on-schedule. InfoSec Institute instructor Chris Danek and sales manager Jarrod Mayes discuss how the PMP certification process works and how […]

The post PMP Certification: Boost Your Career and Earn More Money (CyberSpeak Podcast) appeared first on InfoSec Resources.

PMP Certification: Boost Your Career and Earn More Money (CyberSpeak Podcast) was first posted on August 10, 2018 at 9:05 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Introduction In the previous two installments of this series, we examined information security management and the implementation and monitoring of security controls. Now, in this third and final part of this article series, we’ll be looking at the physical and environmental protection of information assets. We’ll also take a moment to summarize some of what […]

The post Best Practices for the Protection of Information Assets, Part 3 appeared first on InfoSec Resources.

Best Practices for the Protection of Information Assets, Part 3 was first posted on August 10, 2018 at 8:15 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

“Phishing” is a form of Internet scam that has become much more common in the past few years. A phishing attempt will usually come in the form of an email that tries to fool you into believing it’s a message from an authentic company and that it needs you to enter your personal information to […]

The post How to Add a Phishing Notification Button to Outlook appeared first on InfoSec Resources.

How to Add a Phishing Notification Button to Outlook was first posted on August 10, 2018 at 8:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Image credit: Sascha Kohlmann, CC BY-SA 2.0
Many of the systems that power the modern world are supposed to be beyond the reach of mere mortals. Developers naively assume that these systems will never give up their secrets to attackers and eagle-eyed researchers.

ATMs are a perfect case in point. Thefts with malware of the likes of Cutlet Maker, as well as unpublicized incidents when unknown attackers plugged in their laptop to an ATM and stole cash without leaving any system logs behind, confirm what the security community has long known. There is no such thing as a hack-proof system, merely one that has not been sufficiently tested.

Getting startedEven now, many people think that the only way to rob an ATM involves the brutest of brute force: pulling up in a pickup, attaching a hook, and pushing hard on the gas pedal, before savaging the ATM with a circular saw, crowbar, and welding kit.

But there is another way.

After a brief search on eBay, I obtained the board for a NCR USB S1 Dispenser with firmware. I had two objectives:

• Bypass the encryption used for commands (such as "dispense banknotes") that are sent by the ATM computer via USB to the dispenser.
• Bypass the requirement for physical access to the safe in order to complete authentication (which must be performed by toggling the bottom cassette in the safe), which is needed for generating the encryption keys for the commands mentioned above.

FirmwareThe firmware is an ELF file for the NXP ColdFire processor (the Motorola 68040, my favorite CPU!) running on VxWorks v5.5.1.


There are two main sections of interest in the ELF file, .text and .data:

• The first contains code that loops continuously most of the time (we'll call it the "main firmware") when the dispenser is connected to the system in the upper part of the ATM.
• The second contains a zlib-compressed bootloader (locally named "USB Secure Bootloader"), which is responsible for uploading firmware and running the main code.

And best of all (for researchers, anyway), is that the debug symbols in the ELF file were all there and easily searchable.

Inner workings of the main firmwareWe can divide the code into four main levels, from top to bottom in the hierarchy:

1. USB Receive Thread, which accepts USB packets and distributes them to the different services.
2. Services are the main units of execution. Each service has a particular role and corresponding tasks (classes).
3. Classes, here, are tasks that can be performed by a particular service using controllers.
4. Controllers are the workers that validate tasks, perform tasks, and generate result packets.

There was a lot of firmware code, so I decided to start by finding all possible services and only then trying to figure out where tasks are transferred.

Here are the services I found that were responsible for the actions of interest:

1) DispTranService (Dispenser Transaction Service): Handles encrypted commands, generates bundle of banknotes, authenticates, and much more. Sure, the interesting stuff.


2) securityService: After authentication, a session key is generated on the dispenser. When requested by the ATM computer, the session key is sent to it in encrypted form. This key is then used to encrypt all commands designated important by the vendor, such as dispensing cash and banknotes bundle forming.


But then another service, UsbDownloadService, caught my eye. The job of this service is, when the dispenser is connected to the computer and the firmware version on the dispenser doesn't match the version on the computer, switch to the bootloader in order to upload the firmware needed to work (which is stored in the folder with the vendor's software on the computer) with the OS. This service can also give us information about the current firmware version.


Physical authenticationPhysical authentication is in fact implemented extremely well, with the mission of protecting the ATM from unauthorized USB commands. The ATM safe with cash must be open in order to perform either of the following actions:

• Remove and insert the lower cassette.
• Toggle the switch on the dispenser main board.

But this all is required only if the access level is set to the maximum. There are a total of three access levels: USB (0), logical (1), and physical (2). The first two are used by firmware developers for debugging and testing. The vendor, of course, strongly urges selecting the third one by default.

The vulnerabilityHere I will describe a critical vulnerability (now fixed by the vendor) that with physical access to the service zone of the ATM but not to the safe zone (such as through a hole drilled in the ATM front panel), allowed the dispenser execute any command – even if the command is "give me cash now!"


I found that UsbDownloadService accepts commands that don't require encryption. That sounds tempting, but shouldn't Secure Bootloader prevent any further mischief, as its name implies?

Spoiler: …it doesn't!

We need to go deeper As mentioned already, the .data section contains compressed bootloader code that didn't initially catch my attention or that of my colleagues.


As long as the bootloader remained a secret, there was no way to answer the question: "How does the software on the computer upload the dispenser’s firmware?" The main firmware did not reveal any clues.


So the bootloader is unpacked and loaded into the IDA at offset 0x100000, from where investigation can start… except there are no debug symbols there!

But after comparing the main firmware with the bootloader code and reading the controller datasheet, I started to get a better idea of what was happening.


Although the process of firmware uploading seemed to be secure, in reality it was not. The trick was just to upload the firmware in the right way :)

Fully understanding this process took a lot of time and dedication (details can be learned from "Blackbox is dead – Long live Blackbox!" at Black Hat USA 2018 in Las Vegas). These efforts included re-soldering NVRAM and copying the backup to it in order to unbrick the controller… and other easy-peasy stuff like that.

Thank you to my colleague Alexey for his patience!

Here is the method for uploading firmware to the dispenser:

1) Generate an RSA key pair and upload the public key to the controller.


2) Write .data and .text from the ELF in sequence to their physical addresses, taken from the section headers:


3) Calculate the SHA-1 checksum for the newly written data, encrypt that value with the private key, and send the result to the controller.


4) Calculate and send the sum of all firmware words that have been written.


At which point, if everything has been calculated and written correctly, the main firmware will boot without a hitch.

Only one restriction was found for the firmware writing process: the version of the "new" firmware cannot be less than the version of the current firmware. But there's nothing to stop you from tinkering with the firmware number in the data that you write yourself.

So my special firmware with anti-security "secret sauce" was uploaded and run successfully!

By now I had a good knowledge of the main firmware, commands used to dispense cash, and more. All that remained was to send (unencrypted) commands, which the dispenser would eagerly obey.


Cash dispensingThis successful result was a worthy intellectual (although not monetary) reward for all the travails of research, such as bricking a real ATM (oops!). My curiosity almost inspired me to try repeating this trick with another major ATM vendor.


Ultimately, a very real ATM began to whirr and spit out very not-real dummy bills (vendors' shiny equivalent of Hollywood prop money). No magic was necessary: just a laptop, brainpower, and a USB cord.

Conclusions"Security through obscurity" is no security at all. Merely keeping code or firmware proprietary will not stop an attacker from finding a way in and taking advantage of vulnerabilities. Curiosity and an initial financial outlay are all that is required.

Just as development is best handled by developers, security should be the job of security professionals. The most productive approach for vendors is to work closely with dedicated security companies, which have teams possessing the necessary experience and qualifications to assess flaws and ensure a proper level of protection on a case-by-case basis.

PostscriptumThe vendor has confirmed the vulnerability (which was also found in the S2 model) and declared it fixed as of the February 2018 patch.

CVE listings:

• CVE-2017-17668 (NCR S1 Dispenser)
• CVE-2018-5717 (NCR S2 Dispenser)

AcknowledgementsBefore I had even set to work on the firmware, Dmitry Sklyarov and Mikhail Tsvetkov had already discovered a lot about it (even without having a dispenser board). Their findings were of enormous assistance! And as concerns everything hardware-related, Alexey Stennikov's help was absolutely invaluable.

Author: Vladimir Kononovich, Positive Technologies

Introduction As we know it today, Phishing has become one of the most commonly used tactics by the Cyber attacker to garner personal information and data. This primarily involves our physical addresses, E-Mail addresses, credit card numbers, banking and other types and kinds of financial information, Social Security numbers, etc. Phishing involves sending an E-Mail, […]

The post The Trends in Spear Phishing Attacks appeared first on InfoSec Resources.

The Trends in Spear Phishing Attacks was first posted on August 10, 2018 at 7:58 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

An inadvertently exposed login key could have spelled cybersecurity disaster for the Homebrew project, beloved of Mac developers everywhere.

It's one thing to discover a data leak, it's another to find out from a journalist that your website is leaking customer data.

Phishing remains a prominent way for cybercriminals to attack. It’s relatively easy to pull off and very profitable for perpetrators. According to research, the average cost of phishing attacks for U.S. businesses is $1.8 million. Moreover, you don’t have to be a genius to pull off a phishing attack. All they need to do is […]

The post Top 10 Anti-Phishing Email Templates appeared first on InfoSec Resources.

Top 10 Anti-Phishing Email Templates was first posted on August 10, 2018 at 7:45 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Researchers unearthed an army of 15,000 robot Twitter accounts plying a cryptocurrency scam.

Phishing (a form of social engineering) is escalating in both frequency and sophistication; consequently, it is even more challenging to defend against cyber-related attacks. These days, any industry, any workplace, any work role can be targeted by a phishing scam that is spreading beyond simple malicious email attachments and link manipulation techniques (i.e., phishers may […]

The post The 10 Best Practices for Identifying and Mitigating Phishing appeared first on InfoSec Resources.

The 10 Best Practices for Identifying and Mitigating Phishing was first posted on August 10, 2018 at 7:18 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Threat hunting is the proactive approach to find anomalies related to threats that could cause potential harm to an organization. These could be the signs of intrusion, as a part of malware campaign, ransomware attack, denial-of-service, data exfiltration and even crypto mining. Threat hunters constantly look for abnormalities in the behavior of an endpoint, server […]

The post Threat Hunting for Unexpectedly Patched Systems appeared first on InfoSec Resources.

Threat Hunting for Unexpectedly Patched Systems was first posted on August 10, 2018 at 7:01 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Vulnerabilities in healthcare devices and hospital systems are leading to growing concerns in the infosec community about patient safety.

Facebook apologizes for animated confetti and balloons that appeared on "I'm safe" posts during the Lombok earthquake.

LinuxSecurity.com: There is no comfortable way for an organisation to learn that its website is leaking customer data but one of the most alarming must surely be getting that bad news from a journalist.

LinuxSecurity.com: According to data released earlier this year, the most expensive data breaches start with third parties. Whether it is from poor configuration of online resources managed by a service provider, insecure third-party software, or insecure communication channels with partners, working with third parties can expose organizations to a ton of risks if they don't pay close enough attention.

Here we are once more to discuss another surveillance program that could threaten the privacy of U.S. citizens. This time, our topic is the previously-undisclosed “Quiet Skies” program. The Transportation Security Administration (TSA) has admitted that the program has monitored about 5,000 U.S. citizens on domestic flights in recent months. Like any other surveillance program, […]

The post “Quiet Skies” – A TSA Surveillance Program Targets Ordinary U.S. Citizens appeared first on InfoSec Resources.

“Quiet Skies” – A TSA Surveillance Program Targets Ordinary U.S. Citizens was first posted on August 9, 2018 at 5:30 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Straight from Black Hat 2018: How TRITON disrupted safety systems and changed the threat landscape of industrial control systems, forever.