Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

October 8, 2018

Slacking Hackers? Google API Bug – 13 Internet Years

Filed under: Cybersecurity,Google+,Hacking — Patrick Durusau @ 3:29 pm

Google chose not to go public about bug that exposed Google Plus users’ data by Graham Cluley.

From the post:


No-one, not even Google, knows for sure how many Google Plus users had their personal data exposed to third-party app developers due to a bug in its API which had was present from 2015 until March this year.

But in a blog post seemingly published in an attempt to take some of the sting out of the Wall Street Journal report, Google revealed that – despite approximately 500,000 Google Plus profiles were potentially affected in just the two weeks prior to patching the bug, and 438 separate third-party applications having access to the unauthorized Google Plus data – it has not seen any evidence that any profile data was misused.

Estimates of an Internet year vs. a calendar year range from 1 calendar year = 2 Internet years; 1 calendar year = 4.7 Internet years; and, a high of 1 calendar year = 7 Internet years.

To be fair, let’s arbitrarily pick 1 year = 4 Internet years, which means the Google API bug has been around for 13 Internet years.

I’m not a hacker so I certainly wasn’t helping but geez. Not that anyone should have pointed the flaw out to Google by any means. Google’s moves to hide the existence of the bug, speaks volumes about some of us being in ocean going yachts and others in leaking life rafts.

There is no commonality of interests in computer security between the average user and Google. Google offers security as a commodity (think DoD in the cloud) and whether you are secure, well, have you paid Google for your security?

I’m certain that Google will protest, should they bother to notice but can you guess who has a financial interest in your free or nearly so reports of security bugs? (Hint: It’s not me.)

I’ve tried to avoid Google+ since its inception so its death won’t impact me.

I do need to set about learning how to check APIs for security flaws. 😉

Cash Spitting ATMs Near You?

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 10:19 am

Bank Servers Hacked to Trick ATMs into Spitting Out Millions in Cash by Swati Khandelwal.

Fromt the post:

The US-CERT has released a joint technical alert from the DHS, the FBI, and Treasury warning about a new ATM scheme being used by the prolific North Korean APT hacking group known as Hidden Cobra.

Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and has previously launched attacks against a number of media organizations, aerospace, financial and critical infrastructure sectors across the world.

The group had also reportedly been associated with the WannaCry ransomware menace that last year shut down hospitals and big businesses worldwide, the SWIFT Banking attack in 2016, as well as the Sony Pictures hack in 2014.

Now, the FBI, the Department of Homeland Security (DHS), and the Department of the Treasury have released details about a new cyber attack, dubbed “FASTCash,” that Hidden Cobra has been using since at least 2016 to cash out ATMs by compromising the bank server.

See Khandelwal’s post for more details but the disruption/fun factor of such a hack is readily evident.

Most effective on Black Friday (a U.S. orgy of consumerism the day after Thanksgiving) or Christmas Eve (December 24th).

Remind testers of the hazards of facial recognition. Holiday masks are sold at many locations.

A Red Teamer’s guide to pivoting

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 9:30 am

A Red Teamer’s guide to pivoting by Artem Kondratenko.

From the post:

Penetration testers often traverse logical network boundaries in order to gain access to client’s critical infrastracture. Common scenarios include developing the attack into the internal network after successful perimeter breach or gaining access to initialy unroutable network segments after compromising hosts inside the organization. Pivoting is a set of techniques used during red team/pentest engagements which make use of attacker-controlled hosts as logical network hops with the aim of amplifying network visibility. In this post I’ll cover common pivoting techniques and tools available.

A handy list of pivoting techniques to refresh/test your skills.

Enjoy!

October 3, 2018

Someone is wrong on the Internet: Turing complete/weird machines

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 10:43 am

Turing completeness, weird machines, Twitter, and muddled terminology by halvar.flake.

From the post:

First off, an apology to the reader: I normally spend a bit of effort to make my blog posts readable / polished, but I am under quite a few time constraints at the moment, so the following will be held to lesser standards of writing than usual.

A discussion arose on Twitter after I tweeted that the use of the term “Turing-complete” in academic exploit papers is wrong. During that discussion, it emerged that there are more misunderstandings of terms that play into this. Correcting these things on Twitter will not work (how I long for the days of useful mailing lists), so I ended up writing a short text. Pastebin is not great for archiving posts either, so for lack of a better place to put it, here it comes:

No apologies necessary for this highly entertaining and useful post!

Our misuse of “Turing completeness” and “weird machine” is harmful and confusing (emphasis in original)

Corrections of public ignorance rarely succeed but at least within exploit research, it’s worth a try. Watch for mis-use of Turing complete and weird machines and cite halvar.flake‘s correction.

PS: Personally I would not correct such misunderstandings by government sponsored researchers. Their ignorance and confusion doesn’t trouble me. Your call.

October 2, 2018

Tracking Potential Security Fails: The Pentagon and Its Familiars

Filed under: Hacking,Journalism,News,Reporting — Patrick Durusau @ 7:37 pm

Want to Track the Pentagon’s Funding? Here’s How You Can Follow the Money by Michael Morisy.

From the post:

In the 2017 financial year, the US Department of Defense alone spent about $590 billion, according to data from the Congressional Budget Office in Washington, DC. Even veteran journalists who cover the US government extensively can find themselves stumped.

“It was like an acid flashback getting your email,” said Steve Fainaru, winner of the 2008 Pulitzer Prize for International Reporting. “This was a huge issue for us. We couldn’t get these contracts.”

His reporting from Iraq shows millions in cost overruns for security contractors.

Since that series, new databases have been posted online that can help those looking to follow the money wherever it flows, including making it easier to trace contracts from companies in a specific country or servicing a particular area.

I’m not sure you will agree with “…making it easier to trace contracts from companies…(emphasis added)” but perhaps it is “easier” than before recent changes.

Certainly a very helpful article for journalists and anyone interested in information the government is willing to share. I take sharing of information by governments and corporations to indicate the shared information is of little value.

That said, tracking Pentagon funding also turns up entities, people and locations with access to data that isn’t intended for sharing. A ripe field for pentesting and security upgrade services.

Perhaps not the intent of the information sources mentioned by Morisy, but then information you can’t weaponize isn’t very interesting is it?

More Free Speech Lost at Twitter

Filed under: Censorship,Free Speech,Hacking,Twitter — Patrick Durusau @ 7:19 pm

Twitter bans distribution of hacked materials ahead of US midterm elections by Catalin Cimpanu.

From the post:


Twitter already had rules in place that prohibited the distribution of hacked materials that contain private information or trade secrets, but after Monday’s update, the platform’s review teams will also ban accounts that claim responsibility for a hack, make hacking threats, or issue incentives to hack specific people and accounts.

Nevertheless, the social network hasn’t been that successful, barely putting a dent in spam-related reports, with the number of complaints going down from 17,000 in May to only 16,000 in September. More work needs to be done, and Twitter just gave its staff sharper teeth to go about their job.

See Cimpanu’s post for the full scope of the damage being done to free speech at Twitter.

Any Twitter investor’s with insight into how much Twitter wastes on its censorship operations every year?

As an investor, I would want to see some ROI from censorship. You?

September 28, 2018

LoJax – Coming to a Corporation/Government Near You!

Filed under: Cybersecurity,Government,Hacking,Security — Patrick Durusau @ 8:58 pm

Cybersecurity Researchers Spotted First-Ever UEFI Rootkit in the Wild by Swati Khandelwal.

From the post:

Cybersecurity researchers at ESET have unveiled what they claim to be the first-ever UEFI rootkit being used in the wild, allowing hackers to implant persistent malware on the targeted computers that could survive a complete hard-drive wipe.

Dubbed LoJax, the UEFI rootkit is part of a malware campaign conducted by the infamous Sednit group, also known as APT28, Fancy Bear, Strontium, and Sofacy, to target several government organizations in the Balkans as well as in Central and Eastern Europe.

Operating since at least 2007, Sednit group is a state-sponsored hacking group believed to be a unit of GRU (General Staff Main Intelligence Directorate), a Russian secret military intelligence agency. The hacking group has been associated with a number of high profile attacks, including the DNC hack just before the U.S. 2016 presidential election.

UEFI, or Unified Extensible Firmware Interface, a replacement for the traditional BIOS, is a core and critical firmware component of a computer, which links a computer’s hardware and operating system at startup and is typically not accessible to users.

Khandelwal has a great explanation of LoJax with pointers to more detailed information.

At present the result of governmental development, it’s not unreasonable to expect LoJax to become commodity malware in a period of a year or two, perhaps less. Not unlike the first atomic bomb. The first one was true research, the second one and following, were matters of engineering.

Any number of governments and corporations merit being gifted with installations of LoJax.

Watching the anti-woman antics in the US Senate this week, made me think of several likely targets.

September 24, 2018

What Would Qualify as a Cyber 9/11?

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 3:17 pm

One of the participants in a discussion reported by Troy Schneider in: Cybersecurity the right way attributes the formation of the Department of Homeland Security (DHS) to “…planes flew into buildings, right?”

I’m not sure reduction of 9/11 down to “…planes flew into buildings…” will be popular, but it did result in a wasted $5+ Trillion to date. If you are looking for funding, a 9/11 equivalent event would be hard to beat.

The question that came to me: What qualifies as a cyber 9/11?

I have a short list of things that didn’t:

  1. Office of Personnel Management (OPM) – “…greatest theft of sensitive personal data in history.” Why the OPM Hack Is Far Worse Than You Imagine Data on all prospective, former and current federal employees since 1985.
  2. National Security Agency hacking tools stolen and leaked on the Internet. Shadow Brokers Group Leaks Stolen National Security Agency Hacking Tools
  3. CIA hacking tools known as Vault 7 leaked by Wikileaks. Wikileaks releases document trove allegedly containing CIA hacking tools
  4. US-South Korea war plans. North Korea ‘hackers steal US-South Korea war plans’

Based on public response of the government and industry, none of those events was a cyber 9/11. (I remember the Clinton email breach, but stealing a gmail password hardly qualifies as a “hack.”)

There is an interactive visualization of data breaches that allows you to filter by organization and method of leak, then viewing the results by calendar year: World’s Biggest Data Breaches (losses > 30,000 records)

By implication, none of those breaches were sufficient to be a cyber 9/11.

I’m really at a loss to say what the cyber equivalent of “…planes flew into buildings…” would look like.

Perhaps the primary reason for the lack of a cyber 9/11 event is the distraction of hackers with more profitable targets. It might be interesting to have a copy of the National Crime Information Center (NCIC) databases, but it would be a niche item. Unless you are into suppressing civil dissent, etc.

On the other hand, the genealogy people might go nuts over it. Would need to test the market before putting a lot of effort into it.

Cyber 9/11 events? Suggestions?

September 23, 2018

Scan4You: Not Sharing Is A Crime?

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 9:48 am

Hacker gets 14 years jail time for operating Scan4You malware scanning service by Waqas.

I’ve been puzzling over what crime was committed here, especially when I read:


The purpose was to assess whether the malicious code was detected or not during routine security checks. Scan4You is also regarded in the infosec industry as a non-distribute-scanner. The difference between VirusTotal and Scan4You is that the latter doesn’t let antivirus engines to report back results to vendors and the malware detections are kept discreet while the former does so.

The Scan4You service, according to the court documents, was hosted on Amazon Web Services servers while malware developers used to pay to get full access to its features. Trend Micro also stated that Bondars also made a very common mistake that almost every malware developer has made in the past, which is that he blocked antivirus engines from the reporting of file scans.

If you track down the indictment, Ruslans Bondars and Jurijs Martisevs incitement (h/t Catalin Cimpanu for uploading),

On a quick read, section 11 of the indictment appears to be its most worrisome point:


11. The Defendants intentionally marketed (omission) to computer hackers using the website (omission) and a hidden service accessible via The Onion Router (TOR), an online network for enabling anonymity. The Defendants also advertised (omission) on underground online cybercrime forums, which are support networks used by individuals worldwide to buy, sell, and rent malware kits, botnets, and stolen personal identifying information (PII). Moreover, the (omission) service differed from legitimate scanning services in multiple ways. For example, while legitimate scanning services share data about uploaded files with the antivirus community, and notify their users they will do so, (omission) instead informed its users the could upload anonymously, and that data about the uploaded files would not be shared with the antivirus community. As a result, the Defendants knew and intended that the (omission) service would be used for facilitation of online criminal activity.

The indictment does not contain the advertisements posted by the defendants: “The Defendants also advertised (omission) on underground online cybercrime forums, which are support networks used by individuals worldwide to buy, sell, and rent malware kits, botnets, and stolen personal identifying information (PII).” so it’s not possible to judge the intent evidenced by those ads.

On the other hand:

  • “a hidden service accessible via The Onion Router (TOR)”
  • anonymous uploads
  • not sharing with the antivirus community

By themselves, surely don’t support the conclusion:


As a result, the Defendants knew and intended that the (omission) service would be used for facilitation of online criminal activity.

Don’t rely on this post as legal advice but I can easily see a legitimate virus scanning service offering a hidden service with anonymous uploads, for the purpose of staying ahead of its competition in detection of malware. If malware authors are more likely to upload to a service anonymously, doing otherwise makes little business sense.

Moreover, not sharing with the antivirus community rests on the mistaken assumption computer security is a shared concern. That’s demonstrably false by collection and use of zero-day vulnerabilities by the NSA. See: The challenge of offensive hacking: the NSA and zero days

Governments around the world use cyber vulnerabilities and call on you to make unpaid contributions of time and labor to improve “cybersecurity.”

I’ll pass on that request.

Hacker represent the QA staffs software vendors refuse to hire. If governments want more secure software, decriminalize hacking and establish civil liability for software vendors, contractors and users.

Incentivize security as opposed to preaching about it.

September 22, 2018

What’s The Buzz? Tell Me What’s Happening – Meltdown

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 7:22 pm

Meltdown: Reading Kernel Memory from User Space by Moritz Lipp, et al.

Abstract:

The security of computer systems fundamentally relies on memory isolation, e.g., kernel address ranges are marked as non-accessible and are protected from user access. In this paper, we present Meltdown. Meltdown exploits side effects of out-of-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. Out-of-order execution is an indispensable performance feature and present in a wide range of modern processors. The attack is independent of the operating system, and it does not rely on any software vulnerabilities. Meltdown breaks all security guarantees provided by address space isolation as well as paravirtualized environments and, thus, every security mechanism building upon this foundation. On affected systems, Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer. We show that the KAISER defense mechanism for KASLR has the important (but inadvertent) side effect of impeding Meltdown. We stress that KAISER must be deployed immediately to prevent large-scale exploitation of this severe information leakage.

A lucid presentation that has you cheering for U.S. Department of Defense migration to the cloud plans.

Go ahead, step just a little bit further into light.

September 20, 2018

New Hacking Challenge: CLIP OS (French Cybersecurity OS)

Filed under: Cybersecurity,Hacking,Security — Patrick Durusau @ 2:44 pm

French cyber-security agency open-sources CLIP OS, a security hardened OS by Catalin Cimpanu.

From the post:

The National Cybersecurity Agency of France, also known as ANSSI (Agence Nationale de la SĂ©curitĂ© des SystĂšmes d’Information), has open-sourced CLIP OS, an in-house operating system its engineers had developed to address the needs of the French government administration.

In a press release, ANSSI described CLIP OS as a “Linux-based operating system [that] incorporates a set of security mechanisms that give it a very high level of resistance to malicious code and allow it to protect sensitive information.”

More details are available at The CLIP OS Project, including version 4 (current release, documentation in French), and version 5 (alpha version, documentation in English).

The lack of a build version makes me wonder the breadth of CLIP OS deployment. Within ANSSI or the French government more generally.

Not that you want to rely on security by obscurity, but if CLIP OS is a substantial security advance over comparable systems, why open source it?

The open source motivation could be to boost a French vendor has a commercial product along similar lines. Perhaps former members of the ANSSI?

In any event, enjoy getting the CLIP OS up and running as preparation to finding its soft spots.

Free CCTV Surveillance Camera Networks

Filed under: Cybersecurity,Hacking,Security — Patrick Durusau @ 12:51 pm

You don’t get to pick the locations but as Tom Spring details in: Zero-Day Bug Allows Hackers to Access CCTV Surveillance Cameras, not only can you take over up to 800,000 existing CCTV cameras with the bugs discussed, all those cameras will require a manual upgrade.

Hard to imagine a greater deterrent to upgrading than requiring manual upgrading of each and every camera.

From the post:


The first vulnerability (CVE-2018-1149) is the zero-day. Attacker can sniff out affected gear using a tool such as Shodan. Next, the attacker can trigger a buffer-overflow attack that allows them to access the camera’s web server Common Gateway Interface (CGI), which acts as the gateway between a remote user and the web server. According to researchers, the attack involves delivering a cookie file too large for the CGI handle. The CGI then doesn’t validate user’s input properly, allowing them to access the web server portion of the camera. “[A] malicious attackers can trigger stack overflow in session management routines in order to execute arbitrary code,” Tenable wrote.

The second bug (CVE-2018-1150) takes advantage of a backdoor functionality in the NUUO NVRMini2 web server. “[The] back door PHP code (when enabled) allows unauthenticated attacker to change a password for any registered user except administrator of the system,” researchers said.

Which CCTV surveillance camera networks do you have control of? (Rhetorical question. Don’t answer! Bad OpSec.)

September 16, 2018

Radare2 – Perils of e – 492 Settings in 32 Namespaces

Filed under: Hacking,Radare2 — Patrick Durusau @ 10:31 am

If you are new to Radare2 (that includes me), you will execute the e command at an r2 prompt, and be overwhelmed by 492 possible settings.

The manual helpfully says that you can use e (namespace). to see all the setting within a namespace.

e cfg.

returns:

cfg.bigendian = false
cfg.debug = false
cfg.editor = emacs
cfg.fortunes = true
cfg.fortunes.clippy = false
cfg.fortunes.tts = false
cfg.fortunes.type = tips,fun
cfg.hashlimit = 0x00a00000
cfg.log = false
cfg.newtab = false
cfg.plugins = true
cfg.prefixdump = dump
cfg.r2wars = false
cfg.sandbox = false
cfg.user = pid386
cfg.wseek = false

But if you don’t know the namespaces, that’s not very helpful advice.

The namespaces as of 16 September 2018 are:

  1. anal
  2. asm
  3. bin
  4. cfg
  5. cmd
  6. dbg
  7. diff
  8. dir
  9. emu
  10. esil
  11. file
  12. fs
  13. graph
  14. hex
  15. http
  16. hud
  17. io
  18. key
  19. lines
  20. magic
  21. pdb
  22. prj
  23. rap
  24. rop
  25. scr
  26. search
  27. stack
  28. str
  29. tcp
  30. time
  31. zign
  32. zoom

The use of namespaces with e produces more manageable setting listings. Ping me if you find this useful.

September 13, 2018

Vulmon [Ultimate Vulnerability Search Engine (self-description)]

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 2:10 pm

Vulmon

From the about page:

Vulmon is a vulnerability search engine. Vulmon conducts full text search in its database therefore you can search everything related with vulnerabilities. It includes cve id, vulnerability types, vendors, products, exploits, operating systems and anything related with vulnerabilities.

Vulmon aims to be both simple and advanced tool for cyber security researchers. Researchers can search everything with its simple interface and get detailed information about vulnerability and related exploits.

Offer recent vulnerabilities, discussion, trends.

Consult while you are waiting for radare2 complete its daily re-build (recommended by Megabeets).

Enjoy!

I first saw this in a tweet by Catalin Cimpanu.

September 11, 2018

Sploitus – First Search – Check It Out!

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 7:04 pm

Sploitus

New to me search engine for vulnerabilities and exploits. Archive.org reports its first mirroring of Sploitus as of today, 11 September 2018, so I assume I’m not too far behind in hearing about it.

Nice presentation of “Exploits of the week” on the homepage.

I searched for “xml injection” but the query as sent reads:

https://sploitus.com/?query=%22xml%20injection%22#exploits

Without the links, Sploitus returned (in part):

  • Microsoft Baseline Security Analyzer 2.3 – XML External Entity Injection
  • Microsoft Baseline Security Analyzer 2.3 XML Injection
  • MedDream PACS Server Premium 6.7.1.1 – ’email’ SQL Injection
  • Softneta MedDream PACS Server Premium 6.7.1.1 SQL Injection
  • Apache Roller 5.0.3 XML Injection / File Disclosure
  • Opsview Monitor 5.x Command Execution Vulnerability

Some vulnerabilties were covered by different sources, hence the duplication.

It isn’t clear to me how “xml injection” returns “SQL Injection” but I do like the sort by severity or date or default options.

Certainly a place I will be exploring more.

PS: Not to put too much emphasis on technical hacking. You could just call up tech support and have them reset the password for a known user account. Sometimes simple solution is the better solution.

August 21, 2018

Hacking: The hope for corporate and governmental transparency

Filed under: FOIA,Government,Hacking,Transparency — Patrick Durusau @ 1:31 pm

DEF CON 26 (2018) was the source of many headlines, including Hacking the US Midterms? It’s Child’s play., Hacking Medical Protocols to Change Vital Signs, and, Tesla Plans to Open-source its Vehicle Security Software, to say nothing of zero-day bugs and new attacks on old ones.

The most encouraging news, at least for transparency of corporations and governments comes from Breaking Badge – The DEFCON Crazy 8s by NodyaH.

“DEF CON City” is the location of a text-based adventure that can be solved only with interactions between 8 card types (depends on type of attendee) as well as hacking the cards themselves. The goal is to turn all the letters DEFCON green. There are resources at the end of the post, if you already have a badge.

NodyaH does a great job describing the starts, stops and re-tracing steps of participants as they rushed to break the badges.

It’s a fast moving tale so take a few minutes to read it. After having read it, can you name a corporate or governmental agency that would be more difficult to hack than the DEFCON badges?

The solution to grudging transparency and documents that mis-led more than they inform, is not more FOIA. Transparency requires hackers who peel corporate and government agencies like navel oranges.

Are you one of them or aspire to be?

Keep up with DEFCON!

August 14, 2018

Process DoppelgĂ€nging meets…

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 4:29 pm

Process DoppelgÀnging meets Process Hollowing in Osiris dropper by hasherezade.

From the post:

One of the Holly Grails for malware authors is a perfect way to impersonate a legitimate process. That would allow them to run their malicious module under the cover, being unnoticed by antivirus products. Over the years, various techniques have emerged in helping them to get closer to this goal. This topic is also interesting for researchers and reverse engineers, as it shows creative ways of using Windows APIs.

Process DoppelgÀnging, a new technique of impersonating a process, was published last year at the Black Hat conference. After some time, a ransomware named SynAck was found adopting that technique for malicious purposes. Even though Process DoppelgÀnging still remains rare in the wild, we recently discovered some of its traits in the dropper for the Osiris banking Trojan (a new version of the infamous Kronos). After closer examination, we found out that the original technique was further customized.

Indeed, the malware authors have merged elements from both Process DoppelgÀnging and Process Hollowing, picking the best parts of both techniques to create a more powerful combo. In this post, we take a closer look at how Osiris is deployed on victim machines, thanks to this interesting loader.

Way beyond my current skill level but it may not be beyond yours.

It also serves as an inspiration/target for a skill level sufficient to read along with a fair degree of understanding.

Enjoy!

Mouse > Sword – High Sierra Hack – 2 lines of code [Brett Kavanaugh documents?]

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 3:30 pm

ex-NSA Hacker Discloses macOS High Sierra Zero-Day Vulnerability by Mohit Kumar.

The gist of the attack:


Patrick Wardle, an ex-NSA hacker and now Chief Research Officer of Digita Security, uncovered a critical zero-day vulnerability in the macOS operating system that could allow a malicious application installed in the targeted system to virtually “click” objects without any user interaction or consent.

To know, how dangerous it can go, Wardle explains: “Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? Click…allowed. Authorize keychain access? Click…allowed. Load 3rd-party kernel extension? Click…allowed. Authorize outgoing network connection? click …allowed.”

Wardle described his research into “synthetic” interactions with a user interface (UI) as “The Mouse is Mightier than the Sword,” showcasing an attack that’s capable of ‘synthetic clicks’—programmatic and invisible mouse clicks that are generated by a software program rather than a human.

Be sure to grab Wardle’s slides for: The Mouse is mightier than the sword.

It’s not a small file (194 MB) but it has goodies like:

and,

Not to mention numerous links and deep analysis of the Mac OS.

Enjoy!

PS: Do you think a current version of High Sierra has access to the files on Supreme Court nominee Brett Kavanaugh? The National Archives and Records Administration says it will take two months to review approximately 1 million records. If dumped, un-edited to the Internet, what? Two weeks? Tops?

To many eyes, all scandals (real or imagined) are transparent.

Man-in-the-Disk – Breaking and Entering Android Phones

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 1:14 pm

New Man-in-the-Disk attack leaves millions of Android phones vulnerable by Swati Khandelwal.

From the post:


Dubbed Man-in-the-Disk, the attack takes advantage of the way Android apps utilize ‘External Storage’ system to store app-related data, which if tampered could result in code injection in the privileged context of the targeted application.

Google itself offers guidelines to Android application developers urging them to use internal storage, which is an isolated space allocated to each application protected using Android’s built-in sandbox, to store their sensitive files or data.

However, researchers found that many popular apps—including Google Translate itself, along with Yandex Translate, Google Voice Typing, Google Text-to-Speech, Xiaomi Browser—were using unprotected external storage that can be accessed by any application installed on the same device.

Khandelwal cites Man-in-the-Disk: A New Attack Surface for Android Apps, which provides this quick summary of the attack:

As the details of this attack may seem complex, let us recap the general outline and ramifications of these shortcomings of Android:

  • An Android device’s External Storage is a public area which can be observed or modified by any other application on the same device.
  • Android does not provide built-in protections for the data held in the External Storage. It only offers developers guidelines on proper use of this resource.
  • Developers anywhere are not always versed in the need for security and the potential risks, nor do they always follow guidelines.
  • Some of the pre-installed and popularly used apps ignore the Android guidelines and hold sensitive data in the unprotected External Storage.
  • This can lead to a Man-in-the-Disk attack, resulting in the manipulation and/or abuse of unprotected sensitive data.
  • Modification to the data can lead to unwelcome results on the user’s device.

Vulnerability pattern: Privileged execution of non-validated data.

Does anyone have a chart of the privileges required by Android apps using External Storage? That would help triage which apps to investigate first.

(Leaving to one side the deliberate creation of an app with high privileges with a plan to later update from External Storage.)

August 13, 2018

Hunting God Modes? [Get Thee to the Patent Office]

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 7:53 pm

God Mode unlocked: Hardware backdoors in x86 CPUs by Christopher Domas.

Domas has discovered a god mode in the VIA C3 Nehemiah chip (2003) by tracing a series of patents.

An impressive bit of work, but its greater importance lies in partially populating search terms to use when looking for similar patents.

Not to mention that confirmation of the existence of a god mode, not rumored, not whispered about, but a corroborated god mode, will encourage other security researchers to seek other god modes in other versions of chips.

There is a non-technical treatment of Domas’ discovery at: Hacker Finds Hidden ‘God Mode’ on Old x86 CPUs by Paul Wagenseil.

It’s a good summary article but be forewarned of Wagenseil’s take on security:


The good news is that, as far as Domas knows, this backdoor exists only on VIA C3 Nehemiah chips made in 2003 and used in embedded systems and thin clients. The bad news is that it’s entirely possible that such hidden backdoors exist on many other chipsets.

Wagenseil has that backwards. Good news would be god modes on all chipsets. Bad news would be god mode is a one-off mistake on the VIA C3 Nehemiah chip (2003). God modes make information security more sporting.

What chip set patents are you going to be researching this week?

Update, 14 August 2018: See the Rosenbridge project at Github for code, etc.

August 5, 2018

Color and Size Steps with Radare2 on Ubuntu 18.04

Filed under: Cybersecurity,Hacking,Radare2 — Patrick Durusau @ 8:46 pm

I mentioned in First Steps with Radare2 on Ubuntu 18.04 that I needed to reset the default colors in Radare2, along with making the font larger.

Itay Cohen, @megabeets_, quickly responded:

Hi Patrick! I read that you had a bit of a struggle with the font colors. Did you know you can change the color theme? Just use “eco “. Screenshots of the different themes are available here: https://r2wiki.readthedocs.io/en/latest/home/themes/#themes. You can also use the Visual Color editor “VE”. Try ‘ec?’

Great way to change displays!

Since I am running XFCE as a desktop, ctrl + and ctrl -, don’t change the terminal font size. (Or at least I’m missing now to make that work in XFCE.)

For the time being, I’m starting r2 in an Emacs shell, which allows me to reset the font size quite easily. With the added advantage of being in Emacs!

Now to try out “eco “.

Several people mentioned that I should try Cutter, the new GUI for Radare2. Going to but I’m comfortable with command line interfaces. Not to mention that experience with the command line will enable me to notice groupings in the GUI.

Chaff Bugs: Deterring Attackers by Making Software Buggier

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 2:20 pm

Chaff Bugs: Deterring Attackers by Making Software Buggier by Zhenghao Hu, Yu Hu, Brendan Dolan-Gavitt.

Abstract:

Sophisticated attackers find bugs in software, evaluate their exploitability, and then create and launch exploits for bugs found to be exploitable. Most efforts to secure software attempt either to eliminate bugs or to add mitigations that make exploitation more difficult. In this paper, we introduce a new defensive technique called chaff bugs, which instead target the bug discovery and exploit creation stages of this process. Rather than eliminating bugs, we instead add large numbers of bugs that are provably (but not obviously) non-exploitable. Attackers who attempt to find and exploit bugs in software will, with high probability, find an intentionally placed non-exploitable bug and waste precious resources in trying to build a working exploit. We develop two strategies for ensuring non-exploitability and use them to automatically add thousands of non-exploitable bugs to real-world software such as nginx and libFLAC; we show that the functionality of the software is not harmed and demonstrate that our bugs look exploitable to current triage tools. We believe that chaff bugs can serve as an effective deterrent against both human attackers and automated Cyber Reasoning Systems (CRSes).

A deeply interesting paper but testing the effectiveness of chaff bugs falls short. The researchers used standard tools to create their estimates of the effectiveness of the chaff bugs. But that isn’t the same as measuring their effectiveness against hackers.

By analogy, consider a team authoring a cracking puzzle and then estimating its difficulty, as opposed to relying on other teams to crack it. Different people, different perspectives, habits, tools, could all make a substantial difference.

Looking forward to seeing this technique appearing in hacking contests.

August 4, 2018

First Steps with Radare2 on Ubuntu 18.04

Filed under: Cybersecurity,Hacking,Radare2 — Patrick Durusau @ 3:19 pm

If you read Reverse Engineering With Radare2, Part 1 by Sam Symons, you will be hot to jump in and start using Radare2!

Of course, like me, you will ignore most of the introduction and quickly search for Radare2, only to encounter an array of installation options, most of which don’t concern you.

Avoid that mistake, follow this link, http://radare.org/r/down.html (yes, same one that Symons has in his post, and follow these directions:

git clone https://github.com/radare/radare2
cd radare2
sys/install.sh # just run this script to update from r2 from git

OK, you need to:

sudo sys/install.sh if you aren’t in a root shell.

Symons points you to course materials for a Modern Binary Exploitation course and their website.

Starting with ./crackme0x00a, you are introduced to the r2 command to open the first challenge.

Presented in a different order, you will encounter:

  • ? – help (append to any command)
  • aa – analyze all
  • cd – change directories
  • pdf – Print disassemble function – pdf@main (simple example)
  • pwd – identify working directory
  • s – seek
  • x – print

I’m working on resetting the colors! Even in a much larger size, this is terribly difficult to read!

That reminds me, there is a book on radare2, imaginatively titled: R2 “Book.” (There is truth to the claim that naming is one of the hardest problems in computer science.)

I got to the end of the first exercise and have some confidence that the Radare2 installation is working properly.

Before going any further, I’m going to experiment with and fix the color display. It’s painful to look at. More on its way!

Enjoy!

August 3, 2018

Browser-based GDB frontend: gdbGUI [With cameo by Thomas Hobbes]

Filed under: .Net,Cybersecurity,gdb,Hacking,Programming,Reverse Engineering — Patrick Durusau @ 8:26 pm

Browser-based GDB frontend: gdbGUI

From the post:

A modern, browser-based frontend to gdb (gnu debugger). Add breakpoints, view stack traces, and more in C, C++, Go, and Rust! Simply run gdbgui from the terminal and a new tab will open in your browser.

Features:

  • Debug a different program in each tab (new gdb instance is spawned for each tab)
  • Set/remove breakpoints
  • View stack, threads
  • Switch frame on stack, switch between threads
  • Intuitively explore local variables when paused
  • Hover over variables in source code to view contents
  • Evaluate arbitrary expressions and plot their values over time
  • Explore an interactive tree view of your data structures
  • Jump back into the program’s state to continue debug unexpected faults (i.e. SEGFAULT)
  • Inspect memory in hex/character form
  • View all registers
  • Dropdown of files used to compile binary, with autocomplete functionality
  • Source code explorer with ability to jump to line
  • Show assembly next to source code, highlighting current instruction. Can also step through instructions.
  • Assembly is displayed if source code cannot be found
  • Notifications when new gdbgui updates are available

While cybersecurity is always relative, the more skills you have, the more secure you can be relative to other users. Or, as Thomas Hobbes observed in De Cive, revised edition, printed in 1760 at Amsterdam, bellum omnium contra omnes, “the war of all against all.” (The quote is found on pages 25-26 of this edition. The following image is from the revised edition, 1647.)

Look to your own security. It is always less valuable to others.

Red Team Tips

Filed under: .Net,Cybersecurity,Hacking,Security — Patrick Durusau @ 2:11 pm

Red Team Tips by Vincent Yiu.

Overview:

The following “red team tips” were posted by myself, Vincent Yiu (@vysecurity) over Twitter for about a year. This is still on-going but I took the opportunity to publish these in one solidified location on my blog. These will be updated ocassionally, but will not be bleeding edge updates. To receive my “red team tips”, thoughts, and ideas behind Cyber attack simulations, follow my Twitter account @vysecurity.

For the full Tweet and thread context (a lot of my followers will comment and give their insights also), visit Twitter.

Collection of three hundred and twenty-nine (329) red team (is there another kind?) tips!

Great way to start the weekend!

Enjoy!

July 28, 2018

Deep Learning … Wireless Jamming Attacks

Filed under: Cybersecurity,Government,Government Data,Hacking — Patrick Durusau @ 8:25 pm

Deep Learning for Launching and Mitigating Wireless Jamming Attacks by Tugba Erpek, Yalin E. Sagduyu, Yi Shi.

Abstract:

An adversarial machine learning approach is introduced to launch jamming attacks on wireless communications and a defense strategy is provided. A cognitive transmitter uses a pre-trained classifier to predict current channel status based on recent sensing results and decides whether to transmit or not, whereas a jammer collects channel status and ACKs to build a deep learning classifier that reliably predicts whether there will be a successful transmission next and effectively jams these transmissions. This jamming approach is shown to reduce the performance of the transmitter much more severely compared with randomized or sensing-based jamming. Next, a generative adversarial network (GAN) is developed for the jammer to reduce the time to collect the training dataset by augmenting it with synthetic samples. Then, a defense scheme is introduced for the transmitter that prevents the jammer from building a reliable classifier by deliberately taking a small number of wrong actions (in form of a causative attack launched against the jammer) when it accesses the spectrum. The transmitter systematically selects when to take wrong actions and adapts the level of defense to machine learning-based or conventional jamming behavior in order to mislead the jammer into making prediction errors and consequently increase its throughput.

As you know, convenience is going to triumph over security, even (especially?) in the context of military contractors. A deep learning approach may be overkill for low-bid contractor targets but it’s good practice for the occasionally more skilled opponent.

Enjoy!

May 21, 2018

Cyber Bullies and Script Kiddie Hacking

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 4:55 pm

I saw a tweet about: AutoSQLi, the new way script-kiddies hack websites saying:

Oh joy, a new tool for script kiddies

With all the initiatives to address cyber-bullying do you find it strange that no one speaks up for “script kiddies?” (It’s not a term of endearment.)

Learning a new skill, whether SQL injection, phishing, making biscuits or hand loading ammunition, you follow detailed instructions of others. A “script,” “recipe,” etc.

We have been at the “script kiddie” level for one or more skills in our lives.

What do we gain by trashing tools that introduce new skills and hopefully capture the interest of new users?

Nothing. Shaming tools or users is an attempt to gain status by downgrading others.

It doesn’t work for me.

Does it work for you?

May 3, 2018

One Protocol, 125+ Million Targets

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 3:55 pm

Disclosure: The Call of Duty protocol has been patched against the vulnerability discussed by momo5502. Take heart, it is software and therefore has multiple vulnerabilities. The post remains an instructive one.

Game hacking reinvented? – A cod exploit

From the post:

A few years ago, I became aware of a security issue in most Call of Duty games.

Although I did not discover it myself, I thought it might be interesting to see what it could be used for.

Without going into detail, this security issue allows users playing a Call of Duty match to cause a buffer overflow on the host’s system inside a stack-allocated buffer within the game’s network handling.

In consquence, this allows full remote code execution!

To use this vulnerability to exploit the game, a few things have to be taken into consideration.

To exploit this vulnerability (or actually any vulnerability), you need to replicate the network protocol of the game.

This turns out to be somewhat complex, so I decided not to rewrite this myself but to actually use the game as a base and to simply force it into sending malicious hand-crafted packets that exploit it.

And indeed, this method seems to work, but the problem is that you need to modify the game in order to send the packets.

As Call of Duty has, just like any modern game these days, a not-so-bad anticheat mechanism (namely VAC), modifying it could result in myself getting banned from the game.

After a few other failed attempts of exploiting this vulnerability, I came up with something completely different: Why shouldn’t I use the game, without actually using the game?

The idea is still to take the game as base, but instead of hooking it, the underlying network transactions are analyzed to recreate the state of the game and to inject custom packets into the system’s network stack that look as if they were sent by the game.

So you don’t modify the game itself, but rather control all the data it sends and receives.

As this method doesn’t touch the game at all, it is not possible for current anti-cheat systems to detect this (it actually is possible, but I don’t think there is any anti-cheat that tries to detect that, yet).

Catalin Cimpanu tweeted a link to this post, along with links for a YouTube video: https://www.youtube.com/watch?v=j2N3_pDEsnE and GitHub PoC: https://github.com/momo5502/cod-exploit.

An elegant attack that relies on networked software, well, using a network for communication. However heavily protected the software, communication over a network can be captured and analyzed. Encryption may poses issues, but only if done well, which isn’t all that common.

Enjoy!

April 5, 2018

I am the very model of a hacker individual…

Filed under: Hacking — Patrick Durusau @ 3:23 pm

Pure brilliance posted to Twitter by Karen Reilly, @akareilly:

I am the very model of a hacker individual,
I’ve information cryptographic, analog and digital,
I know every cypherpunk, adhere to Kerckhoff’s principle,
I bounce from node to node so I can make myself invisible.

I’m very well acquainted, too, with server vulnerability,
I escalate my privilege and I trash availability,
I know the latest breaches and I know first when the ‘net’s ablaze,
With many cheerful facts about developments in zero days.

I’m very good at cracking but I can support security;
I know that it is bollocks if you seek it with obscurity :
In short, in matters cryptographic, analog and digital,
I am the very model of a hacker individual.

I know our hacker history from Ada to the Admiral,
If I ever leave a trace at most it is ephemeral,
I clone your black box hardware tokens or I social engineer
I fill logfiles with peculiarities that cause CTO fear

I can open any doors with tumbler locks or RFID
I've got root and have the keys to all your cryptocurrency
I can hum your servers dead by reaching a high decibel
No matter where I am, I am guaranteed to pop a shell

In short, in matters cryptographic, analog and digital,
I am the very model of a hacker individual.

I have seen other verses but not certain of their placement. Perhaps that’s intentional.

In any event, this is the first version I saw on Twitter. Other arrangements and content are likely to exist and be equally enjoyable.

February 9, 2018

Fear Keeps People in Line (And Ignorant of Apple Source Code)

Filed under: Cybersecurity,Hacking,Security — Patrick Durusau @ 11:05 am

Apple’s top-secret iBoot firmware source code spills onto GitHub for some insane reason by Chris Williams.

From the post:

The confidential source code to Apple’s iBoot firmware in iPhones, iPads and other iOS devices has leaked into a public GitHub repo.

The closed-source code is top-secret, proprietary, copyright Apple, and yet has been quietly doing the rounds between security researchers and device jailbreakers on Reddit for four or so months, if not longer.

We’re not going to link to it. Also, downloading it is not recommended. Just remember what happened when people shared or sold copies of the stolen Microsoft Windows 2000 source code back in the day.

Notice that Williams cites scary language about the prior Windows source code but not a single example of an actual prosecution for downloading or sharing that source code. I have strong suspicions why no examples were cited.*

You?

The other thing to notice is “security researchers” have been sharing it for months, but if the great unwashed public gets to see it, well, that’s a five alarm fire.

Williams has sided with access only for the privileged, although I would be hard pressed to say why?

BTW, if you want to search Github for source code that claims to originate from Apple, use the search term iBoot.

No direct link because in the DCMA cat and mouse game, any link will be quickly broken and I have no way to verify whether a repository is or isn’t Apple source code.

Don’t let fear keep you ignorant.

*My suspicions are that anyone reading Microsoft Windows 2000 source code became a poorer programmer and that was viewed as penalty enough.

« Newer PostsOlder Posts »

Powered by WordPress