Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

October 6, 2019

Getting Started in Bug Bounty

Filed under: Bugs,Cybersecurity,Hacking — Patrick Durusau @ 8:11 pm

The key lesson here is that hours and hours of practice are required. There’s no shortcut to avoid putting in the time to learning your tools and the weaknesses they are best at detecting.

Reminder, as of October 7, 2019, there are 270 working days left until the 2020 elections in the United States. Use your time wisely!

May 17, 2019

Declining Hacktivism

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 7:24 pm

A 95% drop in Hactivist attacks since 2015 is explained by Cimpanu as mostly due to the decline of the Anonymous hacker collective, described as:

But nothing has led to the group’s demise more than the inefficiency of most of its attacks. Defacing websites and launching DDoS attacks rarely gets anything done.

Neither does stealing data from websites that are completely unrelated to a specific topic. In many cases, Anonymous hackers ended up dumping personal user information into the public domain and hurting innocent people for ridiculous causes, attracting both scorn and ridicule.

Most hacking attacks don’t have the impact of an AGM-114 Hellfire missile at a BP Oil shareholders meeting. Granted but that’s hardly a criteria for hacking success.

Cimpanu’s “hurting innocent people for ridiculous causes” captures his allegiance to oppressive status quo systems better than any invective from me. Would dumping the personal information of DoD employees qualify? Or DoD employees with their deployments overseas, matching them up with locations for anyone looking for likely suspects in war crimes? There are parts of the world where that would be a very popular database.

Cybersecurity degrades with every hire and new 0days appear on a regular basis. Now should be a golden age of hacktivism, save for next year, which will be even better.

Don’t be discouraged by law enforcement puffery about stopping hackers. If they are that good, why are children being sold for sex through the Atlanta airport? Or drugs pouring across the border in large cargo trucks? Or banks being robbed for that matter. Don’t they know where all the banks are located?

I’m hopeful the headlines next year will declare hacktivism is on the rise, don’t you?

May 16, 2019

Free Online Proxy Servers (Review)

Filed under: Cybersecurity,Proxy Servers,Tor — Patrick Durusau @ 3:59 pm

The Best Free Online Proxy Servers You Can Use Safely by Dan Price.

From the post:

Proxy sites and proxy servers allow internet users to bypass internet restrictions and access content that would otherwise be blocked.

Lots of free proxy providers exist, but which are the best? Are there any risks of using a free online proxy? And what alternatives are available?

Price has a top 5 free proxy servers that starts with HideMyAss and goes down from there. 😉 Links to several paid proxy services are listed as well.

HideMyAss uses cookies so best to approach them using a VPN and a Tor browser. You should be using a VPN and a Tor browser by default. Even if you don’t need that level of security, it helps to generate traffic that benefits others.

RIDL and Fallout: MDS attacks (Intel Chips)

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 2:50 pm

RIDL and Fallout: MDS attacks

From the webpage:

The RIDL and Fallout speculative execution attacks allow attackers to leak private data across arbitrary security boundaries on a victim system, for instance compromising data held in the cloud or leaking your data to malicious websites. Our attacks leak data by exploiting the 4 newly disclosed Microarchitectural Data Sampling (or MDS) side-channel vulnerabilities in Intel CPUs. Unlike existing attacks, our attacks can leak arbitrary in-flight data from CPU-internal buffers (Line Fill Buffers, Load Ports, Store Buffers), including data never stored in CPU caches. We show that existing defenses against speculative execution attacks are inadequate, and in some cases actually make things worse. Attackers can use our attacks to leak sensitive data despite mitigations, due to vulnerabilities deep inside Intel CPUs.

In addition to being a great post, there is an interactive image of the Intel chip with known vulnerabilities in color.

The uncolored areas may have unknown vulnerabilties.

Good hunting!

0day “In the Wild” (05-15-2019)

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 1:56 pm

0day “In the Wild”

Catalin Cimpanu‏ tweeted that Google has updated its 0day “In the Wild” spreadsheet.

For an introduction to the spreadsheet, see Zero Day.

Given update rates, the earliest zero days from 2014 probably have another five (5) years of useful life left. Perhaps more with government installations.

Enjoy!

April 24, 2019

Metasploit Demo Meeting 2019-04-23

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 1:05 pm

Metaspoilt Demo Meeting 2019-04-23

Entertaining and informative update for metasploit. Billed as:

The world’s most used penetration testing framework.

Knowledge is power, especially when it’s shared. A collaboration between the open source community and Rapid7, Metasploit helps security teams do more than just verify vulnerabilities, manage security assessments, and improve security awareness; it empowers and arms defenders to always stay one step (or two) ahead of the game.

Enjoy!

Deobfuscating APT32 Flow Graphs with Cutter and Radare2 [Defining “foreign” government]

Filed under: Cybersecurity,Government,Hacking,Radare2 — Patrick Durusau @ 12:30 pm

Deobfuscating APT32 Flow Graphs with Cutter and Radare2 by Itay Cohen.

The Ocean Lotus group, also known as APT32, is a threat actor which has been known to target East Asian countries such as Vietnam, Laos and the Philippines. The group strongly focuses on Vietnam, especially private sector companies that are investing in a wide variety of industrial sectors in the country. While private sector companies are the group’s main targets, APT32 has also been known to target foreign governments, dissidents, activists, and journalists.

APT32’s toolset is wide and varied. It contains both advanced and simple components; it is a mixture of handcrafted tools and commercial or open-source ones, such as Mimikatz and Cobalt Strike. It runs the gamut from droppers, shellcode snippets, through decoy documents and backdoors. Many of these tools are highly obfuscated and seasoned, augmented with different techniques to make them harder to reverse-engineer.

In this article, we get up and close with one of these obfuscation techniques. This specific technique was used in a backdoor of Ocean Lotus’ tool collection. We’ll describe the technique and the difficulty it presents to analysts — and then show how bypassing this kind of technique is a matter of writing a simple script, as long as you know what you are doing.

The deobfuscation plugin requires Cutter, the official GUI of the open-source reverse engineering framework – radare2. Cutter is a cross-platform GUI that aims to expose radare2’s functionality as a user-friendly and modern interface.  Last month, Cutter introduced a new Python plugin system, which figures into the tool we’ll be constructing below. The plugin itself isn’t complicated, and neither is the solution we demonstrate below. If simple works, then simple is best.

Way beyond my present skills but I can read and return to it in the future.

I don’t know how Cohen defines foreign government but for my purposes, a foreign government is one that isn’t paying me. Simple, direct and to the point. That may be a U.S.-centric definition. The U.S. government spends $billions on oppressing people around the world but cybersecurity sees it with a begging cup out for volunteer assistance. On a scale of volunteer opportunities, the U.S. government and its fellow travelers should come out dead last.


April 23, 2019

Weaponized USB Drives and Beyond

Filed under: Cybersecurity,Government,Hacking — Patrick Durusau @ 8:19 pm

Weaponized USB devices as an attack vector by Alex Perekalin.

USB devices are the main source of malware for industrial control systems, said Luca Bongiorni of Bentley Systems during his talk at #TheSAS2019. Most people who are in any way involved with security have heard classic tales about flash drives “accidentally” dropped in parking lots — it’s a common security story that is just too illustrative not to be retold again and again.

Perekalin takes us beyond flash drives with a reminder that any USB device can be an attack vector.

An incomplete list of USB devices includes:

  • Speaker
  • Microphone
  • Sound card
  • MIDI
  • Modem
  • Ethernet adapter
  • Wi-Fi adapter
  • RS-232 serial adapter
  • Keyboard
  • Mouse
  • Joystick
  • Webcam
  • Scanner
  • Laser printer
  • Inject printer
  • USB flash drive
  • Memory card reader
  • Digital audio player
  • Digital camera

Just to name some of the more common ones. 

So it’s a little more expensive to do: “Congratulations! You were selected at random for a free digital camera!” (make sure it is a nice one) If it gets you inside the ******* agency, it’s worth every penny. Weaponized USB devices should be standard part of your kit.

April 3, 2019

Reversing WannaCry Part 1 – [w/] #Ghidra

Filed under: Cybersecurity,Ghidra,Hacking — Patrick Durusau @ 7:43 pm
From Gnidra Ninja

From the description:

In this first video of the “Reversing WannaCry” series we will look at the infamous killswitch and the installation and unpacking procedure of WannaCry.

The sample can be found here: https://www.ghidra.ninja/posts/03-wannacry-1/

Twitter: https://twitter.com/ghidraninja

Links:

Interview with MalwareTech: https://soundcloud.com/arrow-bandwidth/s3-episode-11-wannacry-interview-with-malware-tech-at-infosec-europe-2017

MalwareTech’s blogpost about the killswitch: https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

Further reading

Wikipedia: https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

LogRhythm Analysis: https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/

Secureworks Analysis: https://www.secureworks.com/research/wcry-ransomware-analysis

Unless you are a very proficient Windows reverse engineer, be prepared to pause the video repeatedly! A level of comfort to aspire to.


April 1, 2019

radare2 r2-3.4.0

Filed under: Cybersecurity,Hacking,Radare2 — Patrick Durusau @ 6:59 pm
https://www.radare.org/r/

Now there’s a bold claim! Is that true? Only one way for you to know for sure! Well, what are you waiting for? Download r2-3.4.0 today!

March 31, 2019

Ghidra quickstart & tutorial: Solving a simple crackme

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 6:52 pm

Ghidra quickstart & tutorial: Solving a simple crackme

In this introduction to Ghidra we will solve a simple crackme – without reading any assembly!

The first of several Ghidra tutorials by Ghidra Ninja. Be sure to follow on Twitter!

March 30, 2019

ARM Assembly Basics

Filed under: ARM,Assembly,Cybersecurity,Hacking,Security — Patrick Durusau @ 8:51 pm

ARM Assembly Basics by Azeria.

Why ARM?:

This tutorial is generally for people who want to learn the basics of ARM assembly. Especially for those of you who are interested in exploit writing on the ARM platform. You might have already noticed that ARM processors are everywhere around you. When I look around me, I can count far more devices that feature an ARM processor in my house than Intel processors. This includes phones, routers, and not to forget the IoT devices that seem to explode in sales these days. That said, the ARM processor has become one of the most widespread CPU cores in the world. Which brings us to the fact that like PCs, IoT devices are susceptible to improper input validation abuse such as buffer overflows. Given the widespread usage of ARM based devices and the potential for misuse, attacks on these devices have become much more common.
Yet, we have more experts specialized in x86 security research than we have for ARM, although ARM assembly language is perhaps the easiest assembly language in widespread use. So, why aren’t more people focusing on ARM? Perhaps because there are more learning resources out there covering exploitation on Intel than there are for ARM. Just think about the great tutorials on Intel x86 Exploit writing by Fuzzy Security or the Corelan Team – Guidelines like these help people interested in this specific area to get practical knowledge and the inspiration to learn beyond what is covered in those tutorials. If you are interested in x86 exploit writing, the Corelan and Fuzzysec tutorials are your perfect starting point. In this tutorial series here, we will focus on assembly basics and exploit writing on ARM.

Written in the best tradition of sharing technical knowledge and skill, this is your ticket to over 100 billion ARM powered devices. Not all of them of interest and/or vulnerable, but out of 100 billion (higher now) you will be kept busy.

Enjoy!

March 29, 2019

Pentagon Adopts Hostile Adoption Strategy

Filed under: Cybersecurity,FBI,Government,Hacking,Security — Patrick Durusau @ 10:44 am

Pentagon’s Multibillion-Dollar DEOS Contract is Guaranteed for Microsoft

High-five traffic saturated networks between groups of North Korean, Chinese and Russian hackers when they read:

In the coming weeks, the Pentagon—through its partner, the General Services Administration—will bid out a cloud-based contract for enterprisewide email, calendar and other collaboration tools potentially worth as much as $8 billion over the next decade.


Yet former defense officials, contracting analysts and industry experts tell Nextgov the Defense Enterprise Office Solutions contract is one that tech giant Microsoft—with its Office 365 Suite—simply cannot lose.

Yes, the Pentagon, through a variety of bidders, all of who offer Microsoft based solutions, is adopting a hostile adoption strategy, described as:

According to Defense Department spokeswoman Elissa Smith, the intent is for DEOS to replace all the disparate, duplicative collaboration tools Defense Department agencies use around the world. Components, including the Army, Navy and Air Force, “will be required” to use the same cloud-based business tools.

“It is expected that DEOS will be designated as an enterprise solution for DOD-wide adoption and organizations,” Smith told Nextgov. “Components that have already implemented different solutions with similar functionality will be required to migrate to DEOS.”

You may remember how successful the FBI Virtual Case File project was, $170 million in the toilet, where local FBI offices were to be “forced” to migrate to a new system. Complete and utter failure.

Undeterred by previous government IT failures, the Pentagon is upping the stakes 47 X the losses in the FBI Virtual Case File project and, even more importantly, risking national security on hostile adoption of an unwanted product.

If that weren’t bad enough, the Office 365 Suite offers a security single point of failure (SPOF). Once the system is breached for one instance, it has been breached for all. Hackers can now abandon their work on other systems and concentrate on Microsoft alone. (A thanks on their behalf to the Pentagon.)

Hackers are unlikely to take up my suggestion because an eight year slog to complete failure leaves non-Microsoft systems in operation during and past the project’s failure date. Not to mention that a hostile transition to an unwanted system is likely to leave openings for exploitation. Happy hunting!

March 27, 2019

GHIDRA 9.0.1 has been posted

Filed under: Cybersecurity,NSA — Patrick Durusau @ 7:56 pm

GHIDRA 9.0.1 has been posted

That was quick! Version 9.0.1 of GHIDRA is available for downloading. Release notes.

February 22, 2019

Safer Porn Viewing

Filed under: Cybersecurity,Porn — Patrick Durusau @ 3:30 pm

Threats to Users of Adult Websites in 2018 by Kaspersky Lab.


2018 was a year that saw campaigns to decrease online pornographic content and traffic. For example, one of the most adult-content friendly platforms – Tumblr – announced it was banning erotic content (even though almost a quarter of its users consume adult content). In addition, the UK received the title of ‘The Second Most Porn-Hungry Country in the World‘ and is now implementing a law on age-verification for pornography lovers that will prohibit anyone below the age of 18 to watch this sort of content. This is potentially opening a world of new tricks for scammers and threat actors to take advantage of users. In addition, even commercial giant Starbucks declared a ‘holy war’ on porn as it was revealed that many visitors prefer to have their coffee while consuming adult content, rather than listening to music or reading the latest headlines on news websites.
Such measures might well be valid, at least from a cybersecurity perspective, as the following example suggests. According to news reports last year, an extremely active adult website user, who turned out to be a government employee, dramatically failed to keep his hobby outside of the workplace. By accessing more than 9,000 web pages with adult content, he compromised his device and subsequently infected the entire network with malware, leaving it vulnerable to spyware attacks. This, and other examples confirm that adult content remains a controversial topic from both a social and cybersecurity standpoint.
It is no secret that digital pornography has long been associated with malware and cyberthreats. While some of these stories are now shown to be myths, others are very legitimate. A year ago, we conducted research on the malware hidden in pornography and found out that such threats are both real and effective. One of the key takeaways of last year’s report was the fact that cybercriminals not only use adult content in multiple ways – from lucrative decoys to make victims install malicious applications on their devices, to topical fraud schemes used to steal victims’ banking credentials and other personal information – but they also make money by stealing access to pornographic websites and reselling it at a cheaper price than the cost of a direct subscription.

The U.S. Government, being itself untrustworthy, doesn’t trust Kaspersky Lab. There’s an odd logic to that position, tinged by a desire for a domestic cybersecurity industry. A domestic industry that would be subject to the orders of the U.S. Government. What it now suspects of Kaspsersky.

You can read Kaspersky’s Three common myths about Kaspersky Lab, or ask yourself, would I cheat while holding 6.25 percent of the world market for Windows anti-malware software? If the answer is no, then trust Kaspersky Lab until you have facts that compel a different choice.

The report details which types porn carry the greatest risk for malware and common techniques used to deliver the same. (You are using a VPN and a Tor browser to view porn. Yes?)

I trust Kaspersky because unlike the U.S. Government, it has no record of running porn sites to entrap viewers. (The FBI likely ran nearly half the child porn sites on the dark web in 2016.) Enjoy the report.

February 19, 2019

OnionShare 2 adds anonymous dropboxes, … [Potential Leakers/Cleaning Staff Take Note!]

Filed under: Cybersecurity,Tor — Patrick Durusau @ 1:28 pm

OnionShare 2 adds anonymous dropboxes, supports new Tor addresses, and is translated into a dozen new languages by Micah Lee.

From the post:

After nearly a year of work from a growing community of developers, designers, and translators, I’m excited that OnionShare 2 is finally ready. You can download it from onionshare.org.

OnionShare is an open source tool for securely and anonymously sending and receiving files using Tor onion services. It works by starting a web server directly on your computer and making it accessible as an unguessable Tor web address that others can load in Tor Browser to download files from you, or upload files to you. It doesn’t require setting up a separate server, using a third party file-sharing service, or even logging into an account.

Unlike services like email, Google Drive, DropBox, WeTransfer, or nearly any other way people typically send files to each other, when you use OnionShare you don’t give any companies access to the files that you’re sharing. So long as you share the unguessable web address in a secure way (like pasting it in an encrypted messaging app), no one but you and the person you’re sharing with can access your files.

Depending on the cyberfails at your organization (How to Block Tor (The Onion Router)), secure leaking may be as easy as installing OnionShare, adding the files you want to leak and transmitting an Onion address to a member of the media.

Well, some members of the media. Western main stream media is extremely risk adverse and will take no steps to assist leakers. That is leaks have to arrive on their doorsteps with no direct effort on their part. I suspect that applies to obtaining files with OnionShare but you would have to ask a reporter.

On the other hand, cleaning staff can read passwords off sticky notes as easily as users and with OnionShare 2 on a USB stick, could be sharing files during their shift. Deleting OnionShare 2 before leaving of course.

OnionShare 2 is a project to support, follow, use and share as widely as possible.

February 18, 2019

Kali Linux 2019.1 Release (With MetaSpoilt 5.0)

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 2:29 pm

Kali Linux 2019.1 Release

From the post:

Welcome to our first release of 2019, Kali Linux 2019.1, which is available for immediate download. This release brings our kernel up to version 4.19.13, fixes numerous bugs, and includes many updated packages.

The big marquee update of this release is the update of Metasploit to version 5.0, which is their first major release since version 4.0 came out in 2011.

To the extent any mainstream media outlet can be credited, information security in general continues to decline. Even so, it’s better to be at the top of your game with the best tools than not.

Enjoy!

r2con 2019 – A Sensible Call for Papers

Filed under: Conferences,Cybersecurity,Hacking,Radare2 — Patrick Durusau @ 2:20 pm

r2con 2019 – Call for Papers

The call for papers in its entirety:

Want to give a talk in r2con? Please send your submission to r2con@radare.org with the following information in plain-text format:

  • Your nick/name(s)
  • Contact information (e-mail, twitter, telegram)
  • Talk title and description with optional speaker bio
  • Length: (20 or 50 minutes)

Such a contrast from conferences with long and tiresome lists of areas included, implying those not listed are excluded. You know the type so I won’t embarrass anyone by offering examples.

For more details, check out r2con 2018, 22 videos, r2con 2017, 16 videos, or r2con 2016, 25 videos.

If after sixty-three (63) videos you are uncertain if your talk is appropriate for r2con 2019, perhaps it is not. Try elsewhere.

February 11, 2019

A Quick Guide to Spear Fishing

Filed under: Cybersecurity,Hacking,Phishing for Leaks — Patrick Durusau @ 4:28 pm

How cybercriminals harvest information for spear phishing by Anastasiya Gridasova.

From the post:

In analyzing targeted attacks over the past decade, we continually find a recurring theme: “It all started when the victim opened a phishing e-mail.” Why are spear-phishing e-mails so effective? It’s because they are contextualized and tailored to the specific victim.

Victims’ social networks are often used as a source of information. Naturally, that leads to the question: How? How do cybercriminals find these accounts? To a large extent, it depends on how public the victim is. If someone’s data is published on a corporate website, perhaps with a detailed biography and a link to a LinkedIn profile, it’s quite simple. But if the only thing the cybercriminal has is an e-mail address, the task is far more complicated. And if they just took a picture of you entering the office of the target company, their chances of finding your profile in social networks are even lower.

A quick but useful introduction to gathering social data for spear fishing. The more experience you gain at spear fishing the more sources you will add to those mentioned here.

Just as an observation: Detailed biographies of management terms for large institutional investors (think oil pipelines and the like) are published online and in a number of other sources.

BTW, to avoid being taken in by a phishing email, don’t use links sent in email. Ever. From any source. The act of copying them for use will direct your attention to the link. Or it should.

White/Black Hats – Swiss E-Voting Systems – $$$ (or rather CHF)

Filed under: Bugs,Cybersecurity,Government — Patrick Durusau @ 3:59 pm

Switzerland Launches Bug Bounty Program for E-Voting Systems by Eduard Kovacs

From the post:


Hackers can earn between $30,000 and $50,000 if they find vulnerabilities that can be exploited to manipulate votes without being detected by voters and auditors. Voting manipulation methods that are detectable can earn participants up to $20,000.

Server-side flaws that allow an attacker to find out who voted and what they voted can earn hackers as much as $10,000, while vote corruption issues can be worth up to $5,000. The smallest bounty, $100, will be paid out for server configuration weaknesses. Participants will be allowed to make their findings public.

The source code for the e-voting system is publicly available, but Swiss Post noted that source code vulnerabilities must be reported separately if they cannot be exploited against the test system.

If you are a registered White Hat hacker, submit your findings for awards as described.

If you are a Black Hat hacker, sell your hack to one of the participating White Hat hackers. 😉

Something for everyone.

January 30, 2019

Cyber Threats, The Modern Maginot Line … Worldwide Threat Assessment

Filed under: Cybersecurity,Hacking,Intelligence — Patrick Durusau @ 8:30 pm

Worldwide Threat Assessment of the US Intelligence Community

From the report:


China has the ability to launch cyber attacks that cause localized, temporary disruptive effects on critical infrastructure — such as disruption of a natural gas pipeline for days to weeks — in the United States.

I won’t shame the alleged author of this report by naming them.

This is a making a case for a bigger budget document and not a report to be taken seriously.

For example, I would re-write this item to read:


Any country with a budget large enough to rent earth moving equipment has the ability to cause disruptive effects on critical infrastructure — such as disruption of a natural gas pipeline for months — in the United States.

Think about the last time you heard of a contractor disrupting a gas or water main. Now improve upon that memory with the pipe being one that transports oil, natural gas or other petroleum products across state lines.

If you were planning on disrupting critical infrastructure in the US, would you fund years of iffy research and development for a cyber attack, or spend several thousand dollars on travel and equipment rental?

Cyber defense utility infrastructure is a modern Maginot Line. It’s true someone, a very stupid someone, could attack that way, but why would they in light of easier and surer methods of disruption?

No one associated with the report asked that question because it’s a collaborative budget increase document.

PS: The techniques overlooked in the Worldwide Threat Assessment are applicable to other countries as well. (Inquire for details.)

January 25, 2019

Setting Up A Hardware Hacking Lab (How Do You Hide An Oscilloscope?)

Filed under: Cybersecurity,Hacking,IoT - Internet of Things — Patrick Durusau @ 9:24 pm

Setting Up A Hardware Hacking Lab

From the post:

One of the questions I receive more than any other is “What tools do you use for hardware hacking?” or “What tools should I buy to get started with hardware hacking?”. Rather than wasting a bunch of time answering this every time someone asks, I’ve decided to write a blog post on the subject! It’s worth noting that YOU DON’T NEED EVERYTHING on this list in order to get started. The general idea of this post is that you would pick one tool from each category and by the time you’re done you’ll have a planned out and versatile setup. Also, I’m going to try my best to add tools that fit all different budget levels.

Before you get to the oscilloscope section, you are outfitted for less than $100. Enough tooling to start developing your skill set. So you can take full advantage of an oscilloscope in your hardware hacking future.

Not to mention law enforcement visitors will key on an oscilloscope, having only seen them in very bad sci-fi adventures. You might be a space alien or something. Creative ways to conceal an oscilloscope?

January 19, 2019

Targeting Government Contractors/Subcontractors (U.S.)

Filed under: Cybersecurity,Government,Hacking — Patrick Durusau @ 8:18 pm

You may have seen: China’s been hacking Navy contractors for 18 months, new report reveals, which among other things says:


“It’s extremely hard for the Defense Department to secure its own systems,” Bossert said. “It’s a matter of trust and hope to secure the systems of their contractors and subcontractors.”

Subcontractors of all branches are frequently attacked by hackers due to inadequate cybersecurity measures. Officials say subcontractors are not being held accountable for those inadequacies.

Sadly, that article and the WSJ report it summarizes, Chinese Hackers Breach U.S. Navy Contractors fail to provide any actionable details, like which Navy subcontractors?

If you knew which subcontractors, you could target advertising of your services to strengthen their defenses or not be outdone by alleged Chinese hackers. I say “alleged Chinese hackers” because attribution of hacking seems to follow a “villain of the week” pattern. Last year it was super-human North Koreans, or was that the year before? Then it has been the Russians and Chinese off and on. Now it’s the Chinese again.

To correct the lack of actionable data in those reports, I have a somewhat dated (2014) RAND report, Findings from Existing Data on the Department of Defense Industrial Base by Nancy Young Moore, Clifford A. Grammich, Judith D. Mele, that gives you several starting places for finding government subcontractors.

I need to extract the specific resources they list and update/supplement them with others but for weekend reading you could do far worse.

Think of this as one example of weaponizing public data. There are others. If gathered in book form, would you be interested?

January 17, 2019

Pirate Radio Historic Texts – Where To Go From Here

Filed under: Cybersecurity,Hacking,Radio — Patrick Durusau @ 9:07 pm

Pirate Radio: two downloadable manuals

From the webpage:

Two terrific manuals on Pirate Radio available for free download: The Complete Manual of Pirate Radio, by Zeke Teflon, has technical information on building a radio – including wiring diagrams, mobile operations, parts, testing and getting away with it. Seizing the Airwaves from AK Press, edited by Ron Sakolsky and Stephen Dunifer, provides some great context for Pirate Radio, including historic pirate radio stations, the fable of free speech, community radio, what to do when the FCC come knocking, and a lot more (209 pages of it!).

“Seizing the Airwaves” (219 pages) was published in 1998 and I suspect “The Complete Manual of Pirate Radio” is the older of the two because it mentions tubes in transmitters, cassette tapes and the ARRL Handbook costing $20. (It’s now $49.95.)

These two works are intersting historical artifacts in the Internet Age but a new copy of the ARRL Handbook (2019), is an entirely different story.

It was just a day or two ago that I wrote about wirelessly seizing of control of construction equipment in Who Needs a Hellfire™ Missile When You Have a Crane?.

The airways are full of unseen but hackable data streams. How do emergency and government services communicate? What do monitors emit? WiFi is just one channel waiting for your arrival. Not to mention that the ability to access those streams means you can also interfere with or mimic messages on them.

Check out the AARL’s What’s New page for products to expand or support of your hacking skills beyond cable.

January 15, 2019

Who Needs a Hellfire™ Missile When You Have a Crane?

Filed under: Cybersecurity,Hacking,IoT - Internet of Things — Patrick Durusau @ 11:06 pm

The Forbes exclusive story, Hackers Take Control Of Giant Construction Cranes by Thomas Brewster, made me follow @Forbes, @ForbesTech, and @iblametom.

Their politics really suck but stories like this one amplify the impact of IoT hacks by several orders of magnitude. Even if there was no hack. You can readily imagine the next big crane accident will be blamed on “IoT hackers.” You can even create a hacking handle to discuss industrial IoT hacking and take credit for accidents with no readily apparent cause.

Hackers will benefit more from the 82-page paper: A Security Analysis of Radio Remote Controllers for Industrial Applications by Jonathan Andersson, et al. that forms the basis for the Forbes story. (I have a copy of the pdf, just in case it disappears.) For a quick overview, see: Attacks Against Industrial Machines via Vulnerable Radio Remote Controllers: Security Analysis and Recommendations.

Just so you know, Hellfire missiles run $65K to $111K, each. Plus the delivery platform, support services, etc. A weapon limited to formal military forces.

Contrast that with IoT enabled construction equipment that is and no doubt is likely to remain vulnerable to hackers. Location is opportunistic but your cost pales when compared to the investment required for a Hellfire missile.

Beyond the cost advantage, hacking construction equipment makes the familiar suddenly unfamiliar, unfriendly, and perhaps even dangerous.

Construction hacking in your area? Tip Thomas Brewster Signal: +447837496820.

January 14, 2019

Metasploit Unleashed

Filed under: Cybersecurity,Hacking,Metasploit — Patrick Durusau @ 8:22 pm

Metasploit Unleashed – Free Ethical Hacking Course

From the webpage:

The Metasploit Unleashed (MSFU) course is provided free of charge by Offensive Security in order to raise awareness for underprivileged children in East Africa. If you enjoy this free ethical hacking course, we ask that you make a donation to the Hackers For Charity non-profit 501(c)(3) organization. A sum of $9.00 will feed a child for a month, so any contribution makes a difference.

We are proud to present the most complete and in-depth Metasploit guide available, with contributions from the authors of the No Starch Press Metasploit Book. This course is a perfect starting point for Information Security Professionals who want to learn penetration testing and ethical hacking, but are not yet ready to commit to a paid course. We will teach you how to use Metasploit, in a structured and intuitive manner. Additionally, this free online ethical hacking course makes a wonderful quick reference for penetration testers, red teams, and other security professionals.

We hope you enjoy the Metasploit Unleashed course as much as we did making it!

You should start with the Requirements for the course. Seriously, read the directions first!

For example, I was anticipating using VirtualBox VMs, only to discover that the Metaploitable VM is for VMware only. So I have to install VMware, convert Metasploitable to OVF and then import into VirtualBox. That sounds like a job for tomorrow! Along with a post about my experience.

January 13, 2019

Buffer Overflow Explained in Detail

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 3:13 pm

Binary Exploitation – Buffer Overflow Explained in Detail by Ahmed Hesham.

From the post:

So first of all I know that there are many tutorials published about buffer overflow and binary exploitation but I decided to write this article because most of these tutorials and articles don’t really talk about the basic fund[a]mentals needed to understand what a buffer overflow really is. They just go explaining what’s a buffer overflow without explaining what is a buffer, what is a stack or what are memory addresses etc. And I just wanted to make it easier for someone who wants to learn about it to find an article that covers the basics. So what I’m going to talk about in this article is what is a buffer , what is a stack and what are the memory addresses and we will take a look at the application memory structure , what is a buffer overflow and why does it happen then I’ll show a really basic and simple example for exploiting a buffer overflow (protostar stack0)

Too basic for most readers but not all. If you are looking for more advanced materials, try the blog at: https://0xrick.github.io/, which has five “Hack the Box” walk-throughs.

Later this week I will be posting about a subject identity approach to malware identification. Any suggestions on use of a subject identity approach to identify vulnerabilities?

January 11, 2019

Metasploit Framework 5.0 Released!

Filed under: Cybersecurity,Hacking,Metasploit — Patrick Durusau @ 4:52 pm

Metasploit Framework 5.0 Released!

From the post:

We are happy to announce the release of Metasploit 5.0, the culmination of work by the Metasploit team over the past year. As the first major Metasploit release since 2011, Metasploit 5.0 brings many new features, as well as a fresh release cadence. Metasploit’s new database and automation APIs, evasion modules and libraries, expanded language support, improved performance, and ease-of-use lay the groundwork for better teamwork capabilities, tool integration, and exploitation at scale.

Get it (and improve it)

As of today, you can get MSF 5 by checking out the 5.0.0 tag in the Metasploit Github project. We’re in the process of reaching out to third-party software developers to let them know that Metasploit 5 is stable and ready to ship; for information on when MSF 5 will be packaged and integrated into your favorite distribution, keep an eye on threads like this one. As always, if you find a bug, you can report it to us on Github. Friendly reminder: Your issue is a lot more likely to get attention from us and the rest of the community if you include all the information we ask for in the issue form.

Contributions from the open source community are the soul of Metasploit. Want to join the many hackers, researchers, bug hunters, and docs writers who have helped make Metasploit awesome over the years? Start here. Not into Ruby development? Help us add to our Python or Go module counts.

A beginning set of release notes for Metasploit 5.0 is here. We’ll be adding to these over the next few months. As always, community PRs are welcome! Need a primer on Framework architecture and usage? Take a look at our wiki here, and feel free to reach out to the broader community on Slack. There are also myriad public and user-generated resources on Metasploit tips, tricks, and content, so if you can’t find something you want in our wiki, ask Google or the community what they recommend.

See all the ways to stay informed and get involved at https://metasploit.com.

Before rushing off to put Metasploit Framework 5.0 to use, take a moment to consider contributing back to the Metasploit community.

The near panic for new cybersecurity hires and code to protect against attacks can only result in new security fails and vulnerabilities. Metasploit needs your help to keep up with self-inflicted security issues across government and business entities.

With your help, the CIA, and NSA will be defaulting to Metaspoilt Framework 5.0 as their default desktop hacking app! Of course, neither the CIA nor the NSA can endorse or acknowledge their use of Metaspoilt but one can dream!

January 8, 2019

Zerodium Bounties 2019

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 8:13 pm

The power of competition for exploits?

Jan. 7, 2019 – Payouts for the majority of Desktops/Servers and Mobile exploits have been increased. Major changes are highlighted below:

Modification Details
Increased Payouts
(Mobiles)
$2,000,000 – Apple iOS remote jailbreak (Zero Click) with persistence (previously: $1,500,000)
$1,500,000 – Apple iOS remote jailbreak (One Click) with persistence (previously: $1,000,000)
$1,000,000 – WhatsApp, iMessage, or SMS/MMS remote code execution (previously: $500,000)
   $500,000 – Chrome RCE + LPE (Android) including a sandbox escape (previously: $200,000)
   $500,000 – Safari + LPE (iOS) including a sandbox escape (previously: $200,000)
   $200,000 – Local privilege escalation to either kernel or root for Android or iOS (previously: $100,000)
   $100,000 – Local pin/passcode or Touch ID bypass for Android or iOS (previously: $15,000)

NOTE: Payouts were also increased for other products including: RCE via documents/medias, RCE via MitM, ASLR or kASLR bypass, information disclosure, etc.

Increased Payouts
(Servers/Desktops)
$1,000,000 – Windows RCE (Zero Click) e.g. via SMB or RDP packets (previously: $500,000)
   $500,000 – Chrome RCE + SBX (Windows) including a sandbox escape (previously: $250,000)
   $500,000 – Apache or MS IIS RCE i.e. remote exploits via HTTP(S) requests (previously: $250,000)
   $250,000 – Outlook RCE i.e. remote exploits via a malicious email (previously: $150,000)
   $250,000 – PHP or OpenSSL RCE (previously: $150,000)
   $250,000 – MS Exchange Server RCE (previously: $150,000)
   $200,000 – VMWare ESXi VM Escape i.e. guest-to-host escape (previously: $100,000)
     $80,000 – Windows local privilege escalation or sandbox escape (previously: $50,000)

NOTE: Payouts were also increased for other products including: Thunderbird, VMWare Workstation, Plesk, cPanel, Webmin, WordPress, 7-Zip, WinRAR, etc.

Not quite in the star athlete range but getting there.

The higher the bounties, the more people who will be hunting. Not unlike the lottery. Some of them will win based on skill, others will stumble on exploits.

What we really need is a competitive market for data, however it is obtained.

January 3, 2019

Getting Started with… Middle Egyptian [Middle Egyptian Code Talker?]

Filed under: Cybersecurity,Hacking,Hieroglyphics — Patrick Durusau @ 9:29 pm

Getting Started with… Middle Egyptian by Patrick J. Burns.

Middle Egyptian, sometimes referred to as Classical Egyptian, refers to the language spoken at Egypt from the beginning of the second millennium BCE to roughly 1300 BCE, or midway through the New Kingdom. It is also the written, hieroglyphic language of this period and so the medium in which the classical Egyptian literature of this period is transmitted. Funerary inscriptions, wisdom texts, heroic narratives like the “Tale of Sinuhe” or the “Shipwrecked Sailor,” and religious hymns have all come down to us in Middle Egyptian hieroglyphic. We also have papyri from this period written in a cursive script known as hieratic. The “middle” separates this phase of the Egyptian language from that of the previous millennium, or Old Egyptian (for example, the “pyramid” texts), and Late Egyptian, which begins in the second half of the New Kingdom and lasts until roughly 700 BCE with the emergence of Demotic. …

It’s been years since I seriously looked at a Middle Egyptian grammar or text but as a hobby, you could do far worse.

For hackers it offers the potential to keep records only you can read.

I don’t mean illegible, we can all do that, but written in a meaningful script but decodeable only by you.

Even better, you can take known religious texts, quotations for your notes. Various law enforcement agencies can hire (hope they charge top dollar) experts to translate your notes. Standard Middle Egyptian religious texts. Maybe that’s your thing. No way to prove otherwise.

The other upside is your support for the publishing of Middle Egyptian grammars, readers, and payments to Middle Egyptian experts by authorities for translation of standard texts. Bes will see the humor in such payments.

Enjoy!

Older Posts »

Powered by WordPress