Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

October 8, 2018

Cash Spitting ATMs Near You?

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 10:19 am

Bank Servers Hacked to Trick ATMs into Spitting Out Millions in Cash by Swati Khandelwal.

Fromt the post:

The US-CERT has released a joint technical alert from the DHS, the FBI, and Treasury warning about a new ATM scheme being used by the prolific North Korean APT hacking group known as Hidden Cobra.

Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and has previously launched attacks against a number of media organizations, aerospace, financial and critical infrastructure sectors across the world.

The group had also reportedly been associated with the WannaCry ransomware menace that last year shut down hospitals and big businesses worldwide, the SWIFT Banking attack in 2016, as well as the Sony Pictures hack in 2014.

Now, the FBI, the Department of Homeland Security (DHS), and the Department of the Treasury have released details about a new cyber attack, dubbed “FASTCash,” that Hidden Cobra has been using since at least 2016 to cash out ATMs by compromising the bank server.

See Khandelwal’s post for more details but the disruption/fun factor of such a hack is readily evident.

Most effective on Black Friday (a U.S. orgy of consumerism the day after Thanksgiving) or Christmas Eve (December 24th).

Remind testers of the hazards of facial recognition. Holiday masks are sold at many locations.

A Red Teamer’s guide to pivoting

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 9:30 am

A Red Teamer’s guide to pivoting by Artem Kondratenko.

From the post:

Penetration testers often traverse logical network boundaries in order to gain access to client’s critical infrastracture. Common scenarios include developing the attack into the internal network after successful perimeter breach or gaining access to initialy unroutable network segments after compromising hosts inside the organization. Pivoting is a set of techniques used during red team/pentest engagements which make use of attacker-controlled hosts as logical network hops with the aim of amplifying network visibility. In this post I’ll cover common pivoting techniques and tools available.

A handy list of pivoting techniques to refresh/test your skills.

Enjoy!

October 4, 2018

Patent Prior Art Archive – Malware Prior Art?

Filed under: Cybersecurity,Malware,Patents — Patrick Durusau @ 8:18 am

Coming together to create a prior art archive by Ian Wetherbee and Mike Lee.

From the post:

Patent quality is a two-way street. Patent applicants should submit detailed disclosures describing their inventions and actively participate in the examination process to define clear distinctions between their inventions and existing technology. Examiners reviewing patent applications should conduct thorough searches of existing technology, reject any attempts to patent existing technology, and develop a clear record of the differences between the patent claims and what came before. The more that the patent system supports and incentivizes these activities, the more reliable the rights that issue from patent offices will be, and the more those patents will promote innovation.

A healthy patent system requires that patent applicants and examiners be able to find and access the best documentation of state-of-the-art technology. This documentation is often found in sources other than patents. Non-patent literature can be particularly hard to find and access in the software field, where it may take the form of user manuals, technical specifications, or product marketing materials. Without access to this information, patent offices may issue patents covering existing technology, or not recognize trivial extensions of published research, removing the public’s right to use it and bringing the reliability of patent rights into question.

To address this problem, academia and industry have worked together to launch the Prior Art Archive, created through a collaboration between the MIT Media Lab, Cisco and the USPTO, and hosted by MIT. The Prior Art Archive is a new, open access system that allows anyone to upload those hard-to-find technical materials and make them easily searchable by everyone.

Believe it or not, Wetherbee and Lee write an entire post on Google and the Prior Art Archive, without ever giving the web address of the Prior Art Archive.

There, fixed that problem on the web. 😉 You know, it’s possible to be so self-centered as to be self-defeating.

The problems of malware prior art are orders of magnitude greater than patent prior art. The literature, posts, etc., alone are spread across ephemeral and often inaccessible forums, blogs, emails, chat groups, to say nothing of the self-defeating secrecy of security researchers themselves. (Not to mention information in languages other than English.)

A malware prior art archive would present numerous indexing, searching, machine translation, clustering and other problems. Perhaps not as lucrative as the results of the Patent Prior Art Archive but at least as interesting.

Thoughts? Suggestions?

PS: You can search the Prior Art Archive through Google Patents. Two other relevant Google resources: TDCommons (non-patented information) and Google Patents Public Datasets.

October 3, 2018

Someone is wrong on the Internet: Turing complete/weird machines

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 10:43 am

Turing completeness, weird machines, Twitter, and muddled terminology by halvar.flake.

From the post:

First off, an apology to the reader: I normally spend a bit of effort to make my blog posts readable / polished, but I am under quite a few time constraints at the moment, so the following will be held to lesser standards of writing than usual.

A discussion arose on Twitter after I tweeted that the use of the term “Turing-complete” in academic exploit papers is wrong. During that discussion, it emerged that there are more misunderstandings of terms that play into this. Correcting these things on Twitter will not work (how I long for the days of useful mailing lists), so I ended up writing a short text. Pastebin is not great for archiving posts either, so for lack of a better place to put it, here it comes:

No apologies necessary for this highly entertaining and useful post!

Our misuse of “Turing completeness” and “weird machine” is harmful and confusing (emphasis in original)

Corrections of public ignorance rarely succeed but at least within exploit research, it’s worth a try. Watch for mis-use of Turing complete and weird machines and cite halvar.flake‘s correction.

PS: Personally I would not correct such misunderstandings by government sponsored researchers. Their ignorance and confusion doesn’t trouble me. Your call.

September 28, 2018

LoJax – Coming to a Corporation/Government Near You!

Filed under: Cybersecurity,Government,Hacking,Security — Patrick Durusau @ 8:58 pm

Cybersecurity Researchers Spotted First-Ever UEFI Rootkit in the Wild by Swati Khandelwal.

From the post:

Cybersecurity researchers at ESET have unveiled what they claim to be the first-ever UEFI rootkit being used in the wild, allowing hackers to implant persistent malware on the targeted computers that could survive a complete hard-drive wipe.

Dubbed LoJax, the UEFI rootkit is part of a malware campaign conducted by the infamous Sednit group, also known as APT28, Fancy Bear, Strontium, and Sofacy, to target several government organizations in the Balkans as well as in Central and Eastern Europe.

Operating since at least 2007, Sednit group is a state-sponsored hacking group believed to be a unit of GRU (General Staff Main Intelligence Directorate), a Russian secret military intelligence agency. The hacking group has been associated with a number of high profile attacks, including the DNC hack just before the U.S. 2016 presidential election.

UEFI, or Unified Extensible Firmware Interface, a replacement for the traditional BIOS, is a core and critical firmware component of a computer, which links a computer’s hardware and operating system at startup and is typically not accessible to users.

Khandelwal has a great explanation of LoJax with pointers to more detailed information.

At present the result of governmental development, it’s not unreasonable to expect LoJax to become commodity malware in a period of a year or two, perhaps less. Not unlike the first atomic bomb. The first one was true research, the second one and following, were matters of engineering.

Any number of governments and corporations merit being gifted with installations of LoJax.

Watching the anti-woman antics in the US Senate this week, made me think of several likely targets.

September 24, 2018

What Would Qualify as a Cyber 9/11?

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 3:17 pm

One of the participants in a discussion reported by Troy Schneider in: Cybersecurity the right way attributes the formation of the Department of Homeland Security (DHS) to “…planes flew into buildings, right?”

I’m not sure reduction of 9/11 down to “…planes flew into buildings…” will be popular, but it did result in a wasted $5+ Trillion to date. If you are looking for funding, a 9/11 equivalent event would be hard to beat.

The question that came to me: What qualifies as a cyber 9/11?

I have a short list of things that didn’t:

  1. Office of Personnel Management (OPM) – “…greatest theft of sensitive personal data in history.” Why the OPM Hack Is Far Worse Than You Imagine Data on all prospective, former and current federal employees since 1985.
  2. National Security Agency hacking tools stolen and leaked on the Internet. Shadow Brokers Group Leaks Stolen National Security Agency Hacking Tools
  3. CIA hacking tools known as Vault 7 leaked by Wikileaks. Wikileaks releases document trove allegedly containing CIA hacking tools
  4. US-South Korea war plans. North Korea ‘hackers steal US-South Korea war plans’

Based on public response of the government and industry, none of those events was a cyber 9/11. (I remember the Clinton email breach, but stealing a gmail password hardly qualifies as a “hack.”)

There is an interactive visualization of data breaches that allows you to filter by organization and method of leak, then viewing the results by calendar year: World’s Biggest Data Breaches (losses > 30,000 records)

By implication, none of those breaches were sufficient to be a cyber 9/11.

I’m really at a loss to say what the cyber equivalent of “…planes flew into buildings…” would look like.

Perhaps the primary reason for the lack of a cyber 9/11 event is the distraction of hackers with more profitable targets. It might be interesting to have a copy of the National Crime Information Center (NCIC) databases, but it would be a niche item. Unless you are into suppressing civil dissent, etc.

On the other hand, the genealogy people might go nuts over it. Would need to test the market before putting a lot of effort into it.

Cyber 9/11 events? Suggestions?

September 23, 2018

Scan4You: Not Sharing Is A Crime?

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 9:48 am

Hacker gets 14 years jail time for operating Scan4You malware scanning service by Waqas.

I’ve been puzzling over what crime was committed here, especially when I read:


The purpose was to assess whether the malicious code was detected or not during routine security checks. Scan4You is also regarded in the infosec industry as a non-distribute-scanner. The difference between VirusTotal and Scan4You is that the latter doesn’t let antivirus engines to report back results to vendors and the malware detections are kept discreet while the former does so.

The Scan4You service, according to the court documents, was hosted on Amazon Web Services servers while malware developers used to pay to get full access to its features. Trend Micro also stated that Bondars also made a very common mistake that almost every malware developer has made in the past, which is that he blocked antivirus engines from the reporting of file scans.

If you track down the indictment, Ruslans Bondars and Jurijs Martisevs incitement (h/t Catalin Cimpanu for uploading),

On a quick read, section 11 of the indictment appears to be its most worrisome point:


11. The Defendants intentionally marketed (omission) to computer hackers using the website (omission) and a hidden service accessible via The Onion Router (TOR), an online network for enabling anonymity. The Defendants also advertised (omission) on underground online cybercrime forums, which are support networks used by individuals worldwide to buy, sell, and rent malware kits, botnets, and stolen personal identifying information (PII). Moreover, the (omission) service differed from legitimate scanning services in multiple ways. For example, while legitimate scanning services share data about uploaded files with the antivirus community, and notify their users they will do so, (omission) instead informed its users the could upload anonymously, and that data about the uploaded files would not be shared with the antivirus community. As a result, the Defendants knew and intended that the (omission) service would be used for facilitation of online criminal activity.

The indictment does not contain the advertisements posted by the defendants: “The Defendants also advertised (omission) on underground online cybercrime forums, which are support networks used by individuals worldwide to buy, sell, and rent malware kits, botnets, and stolen personal identifying information (PII).” so it’s not possible to judge the intent evidenced by those ads.

On the other hand:

  • “a hidden service accessible via The Onion Router (TOR)”
  • anonymous uploads
  • not sharing with the antivirus community

By themselves, surely don’t support the conclusion:


As a result, the Defendants knew and intended that the (omission) service would be used for facilitation of online criminal activity.

Don’t rely on this post as legal advice but I can easily see a legitimate virus scanning service offering a hidden service with anonymous uploads, for the purpose of staying ahead of its competition in detection of malware. If malware authors are more likely to upload to a service anonymously, doing otherwise makes little business sense.

Moreover, not sharing with the antivirus community rests on the mistaken assumption computer security is a shared concern. That’s demonstrably false by collection and use of zero-day vulnerabilities by the NSA. See: The challenge of offensive hacking: the NSA and zero days

Governments around the world use cyber vulnerabilities and call on you to make unpaid contributions of time and labor to improve “cybersecurity.”

I’ll pass on that request.

Hacker represent the QA staffs software vendors refuse to hire. If governments want more secure software, decriminalize hacking and establish civil liability for software vendors, contractors and users.

Incentivize security as opposed to preaching about it.

September 22, 2018

What’s The Buzz? Tell Me What’s Happening – Meltdown

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 7:22 pm

Meltdown: Reading Kernel Memory from User Space by Moritz Lipp, et al.

Abstract:

The security of computer systems fundamentally relies on memory isolation, e.g., kernel address ranges are marked as non-accessible and are protected from user access. In this paper, we present Meltdown. Meltdown exploits side effects of out-of-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. Out-of-order execution is an indispensable performance feature and present in a wide range of modern processors. The attack is independent of the operating system, and it does not rely on any software vulnerabilities. Meltdown breaks all security guarantees provided by address space isolation as well as paravirtualized environments and, thus, every security mechanism building upon this foundation. On affected systems, Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer. We show that the KAISER defense mechanism for KASLR has the important (but inadvertent) side effect of impeding Meltdown. We stress that KAISER must be deployed immediately to prevent large-scale exploitation of this severe information leakage.

A lucid presentation that has you cheering for U.S. Department of Defense migration to the cloud plans.

Go ahead, step just a little bit further into light.

September 21, 2018

Senate GMail Attack – eXist-db 5.0.0 RC 4 Release – Coincidence?

Filed under: Cybersecurity,eXist,Government,XML,XML Database,XQuery — Patrick Durusau @ 6:16 pm

First I see Senators’ Gmail accounts targeted by foreign hackers from today that reads in part:

The personal Gmail accounts of an unspecified number of US senators and Senate staff have been targeted by foreign government hackers, a Google spokesperson confirmed to CNN on Thursday.

then I see in my Twitter feed:

[eXist-db] v5.0.0-RC4 – September 21, 2018.

The campaign season has been devoid of any Clinton-like email leaks, which is both disappointing and a little surprising.

It worked so well last time, taking no news office gossip and by timed release, make back-biting chatter into widely reported news.

You should grab a copy of eXist-db v.5.0.0-RC4 or the current stable version. Practicing now will keep you in shape for any flood of congressional emails.

eXistDB is NOT in league with any hackers anywhere.

I like feeding the paranoid delusions of the IC with groundless gossip. They will write it down, talk about it, do research, all the while they are not out harming US citizens and/or hopefully citizens of any other countries.

September 20, 2018

New Hacking Challenge: CLIP OS (French Cybersecurity OS)

Filed under: Cybersecurity,Hacking,Security — Patrick Durusau @ 2:44 pm

French cyber-security agency open-sources CLIP OS, a security hardened OS by Catalin Cimpanu.

From the post:

The National Cybersecurity Agency of France, also known as ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information), has open-sourced CLIP OS, an in-house operating system its engineers had developed to address the needs of the French government administration.

In a press release, ANSSI described CLIP OS as a “Linux-based operating system [that] incorporates a set of security mechanisms that give it a very high level of resistance to malicious code and allow it to protect sensitive information.”

More details are available at The CLIP OS Project, including version 4 (current release, documentation in French), and version 5 (alpha version, documentation in English).

The lack of a build version makes me wonder the breadth of CLIP OS deployment. Within ANSSI or the French government more generally.

Not that you want to rely on security by obscurity, but if CLIP OS is a substantial security advance over comparable systems, why open source it?

The open source motivation could be to boost a French vendor has a commercial product along similar lines. Perhaps former members of the ANSSI?

In any event, enjoy getting the CLIP OS up and running as preparation to finding its soft spots.

Free CCTV Surveillance Camera Networks

Filed under: Cybersecurity,Hacking,Security — Patrick Durusau @ 12:51 pm

You don’t get to pick the locations but as Tom Spring details in: Zero-Day Bug Allows Hackers to Access CCTV Surveillance Cameras, not only can you take over up to 800,000 existing CCTV cameras with the bugs discussed, all those cameras will require a manual upgrade.

Hard to imagine a greater deterrent to upgrading than requiring manual upgrading of each and every camera.

From the post:


The first vulnerability (CVE-2018-1149) is the zero-day. Attacker can sniff out affected gear using a tool such as Shodan. Next, the attacker can trigger a buffer-overflow attack that allows them to access the camera’s web server Common Gateway Interface (CGI), which acts as the gateway between a remote user and the web server. According to researchers, the attack involves delivering a cookie file too large for the CGI handle. The CGI then doesn’t validate user’s input properly, allowing them to access the web server portion of the camera. “[A] malicious attackers can trigger stack overflow in session management routines in order to execute arbitrary code,” Tenable wrote.

The second bug (CVE-2018-1150) takes advantage of a backdoor functionality in the NUUO NVRMini2 web server. “[The] back door PHP code (when enabled) allows unauthenticated attacker to change a password for any registered user except administrator of the system,” researchers said.

Which CCTV surveillance camera networks do you have control of? (Rhetorical question. Don’t answer! Bad OpSec.)

September 13, 2018

Vulmon [Ultimate Vulnerability Search Engine (self-description)]

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 2:10 pm

Vulmon

From the about page:

Vulmon is a vulnerability search engine. Vulmon conducts full text search in its database therefore you can search everything related with vulnerabilities. It includes cve id, vulnerability types, vendors, products, exploits, operating systems and anything related with vulnerabilities.

Vulmon aims to be both simple and advanced tool for cyber security researchers. Researchers can search everything with its simple interface and get detailed information about vulnerability and related exploits.

Offer recent vulnerabilities, discussion, trends.

Consult while you are waiting for radare2 complete its daily re-build (recommended by Megabeets).

Enjoy!

I first saw this in a tweet by Catalin Cimpanu.

September 11, 2018

Sploitus – First Search – Check It Out!

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 7:04 pm

Sploitus

New to me search engine for vulnerabilities and exploits. Archive.org reports its first mirroring of Sploitus as of today, 11 September 2018, so I assume I’m not too far behind in hearing about it.

Nice presentation of “Exploits of the week” on the homepage.

I searched for “xml injection” but the query as sent reads:

https://sploitus.com/?query=%22xml%20injection%22#exploits

Without the links, Sploitus returned (in part):

  • Microsoft Baseline Security Analyzer 2.3 – XML External Entity Injection
  • Microsoft Baseline Security Analyzer 2.3 XML Injection
  • MedDream PACS Server Premium 6.7.1.1 – ’email’ SQL Injection
  • Softneta MedDream PACS Server Premium 6.7.1.1 SQL Injection
  • Apache Roller 5.0.3 XML Injection / File Disclosure
  • Opsview Monitor 5.x Command Execution Vulnerability

Some vulnerabilties were covered by different sources, hence the duplication.

It isn’t clear to me how “xml injection” returns “SQL Injection” but I do like the sort by severity or date or default options.

Certainly a place I will be exploring more.

PS: Not to put too much emphasis on technical hacking. You could just call up tech support and have them reset the password for a known user account. Sometimes simple solution is the better solution.

September 6, 2018

Using cURL through Tor on Ubuntu 18.04

Filed under: Cybersecurity,Tor — Patrick Durusau @ 3:01 pm

When I found Making Tor Requests with command-line cURL by NanoDano, I thought I had hit gold!

Easy enough:

Except that when I do:

curl –socks5-hostname localhost:9150 https://check.torproject.org

I get:

curl: (7) Failed to connect to localhost port 9150: Connection refused

Quick answers: Yes, the Tor browser is running, the syntax is correct, ….

I spent several minutes trying to identify the source of the problem before doing this:

curl –socks5-hostname 127.0.0.1:9150 https://check.torproject.org

Success!

Yes, I have a local mis-configuration, which I can correct, but you may find situations where correction isn’t possible.

Try substitution of 127.0.0.1 for localhost and vice-versa, before looking for more obscure causes. (That also quickly identifies this particular mis-configuration.)

September 4, 2018

Penetration Testing / OSCP Biggest Reference Bank

Filed under: Cybersecurity,Security — Patrick Durusau @ 12:38 pm

Penetration Testing / OSCP Biggest Reference Bank by OlivierLaflamme (Boschko)

Forty-three (43) penetration cheatsheets as of today (4 September 2018), all dating from August 1, 2018.

Opportunity to grab cheatsheets and to contribute back to the community with comments and suggestions.

Note the difference between some communities of hackers and white-hat hackers, who practice secrecy and non-sharing. That’s the real advantage in cybersecurity matters.

Enjoy!

I first saw this in a tweet by Catalin Cimpanu.

Tor Sites – Is Your Public IP Showing? [Terrorist-in-a-Box]

Filed under: Cybersecurity,Dark Web,Tor — Patrick Durusau @ 9:32 am

Public IP Addresses of Tor Sites Exposed via SSL Certificates by Lawrence Abrams.

From the post:

A security researcher has found a method that can be used to easily identify the public IP addresses of misconfigured dark web servers. While some feel that this researcher is attacking Tor or other similar networks, in reality he is exposing the pitfalls of not knowing hwo to properly configure a hidden service.

One of the main purposes of setting up a dark web web site on Tor is to make it difficult to identify the owner of the site. In order to properly anonymize a dark web site, though, the administrator must configure the web server properly so that it is only listens on localhost (127.0.0.1) and not on an IP address that is publicly exposed to the Internet.

The failure of people who intentionally walk on the wild side to properly secure their sites holds out great promise that government and industry sites are even more poorly secured.

If you are running a Tor site or someday hope to run a Tor site, read this post and make sure your public IP isn’t showing.

Unless your Tor site is a honeypot for government spy agencies. They lap up false information like there is no tomorrow.

Not something I have time for now but consider mining intelligence reports as a basis for creating a Tor site, complete with information, chats, discussion forums, etc., download (not public) name “Terrorist-in-a-Box.” Unpack, install, configure (correctly) and yet another terrorist site is on the Dark Web. Have an AI running all the participants on the site. A challenging project to make it credible.

The intelligence community (IC) makes much of their ability to filter noise from content, so you can help them test that ability. It’s almost a patriotic duty.

August 28, 2018

Hackers – Government Partnership? A New Model

Filed under: Cybersecurity,Government — Patrick Durusau @ 7:09 pm

The trials and tribulations of hiring hackers, much less hiring them by governments, are but a quick search away. A few of the articles I have encountered: Hiring hackers: The good, the bad and the ugly, Top 10 Pros and Cons of Hiring Hackers to Enhance Security, and, Hiring a hacker: Why and how you should do it.

These posts and others suffer from a lack of imagination in harnessing hackers for bettering government security.

Governments want fewer cybersecurity risks. Hackers want less risk from their hacking activities. Here’s one way to lessen the risks on both sides:

  1. Government creates a PGP key for encryption of method and proof of hack on a government information system.
  2. The encrypted package is signed by the hacker in question for proof of ownership of that hack.
  3. Uploading of the encrypted package to a public website, along with which a hacker can claim their handle, automatically grants the hacker immunity for the hack and use of its results. Additionally, the hack cannot be used in any other prosecution for any purpose.
  4. The government can solicit solutions for submitted hacks from the submitting hacker(s) or from hackers more generally.

Governments, any government, are already hemorrhaging data. Anyone who says differently is selling a mythical security solution. Be forewarned.

The proposed hack/immunity system gives governments notice of hacks and their specifics, in exchange for immunity in the unlikely event that anyone will be prosecuted for a hack.

Moreover, the privacy of hackers is preserved since they must produce the key to verify the signing of the encrypted package, which they would only do in case of a prosecution based on or using that hack.

The cybersecurity community as a whole gains greater reliability of breach information compared to:

…This year’s report is based on a global survey conducted by 451 Research during October and November of 2017.

In contrast to last year’s report, we surveyed 1,200+ senior security executives from across the globe (up from 1,100), including respondents from key regional markets in the U.S., U.K., Germany, Japan, Sweden, the Netherlands, Korea and India. We also surveyed key segments within those countries including federal government, retail, finance and healthcare. While all 1,200 respondents have at least some degree of influence in data security decision-making, more than one-third (34%) have ‘major’ influences on these decisions and nearly half (46%) have sole decision-making authority.
2018 THALES DATA THREAT REPORT

Misgivings over the trustworthiness of hackers is highly selective. Thales relies on people with an interest in their fails looking similar to everyone else’s. Rather odd “research” technique.

PS: Should anyone (US prosecutors, FBI, etc.) protest the automatic granting of immunity, ask them for their prosecution statistics versus the number of known breaches in their districts.

You can waste money on by chance prosecutions and cybersecurity myths or, you can correct your systems against the best hackers in the world. Your call.

Cybersecurity Fails Set To Spread Beyond Beltway Defense Contractors

Filed under: Cybersecurity,Government,Government Data — Patrick Durusau @ 3:01 pm

I’m sure you were as amused as I was to read: U.S. Department Of Defense Awards $37 Million Contract To Cybersecurity Startup Qadium. It’s only fair you know. Startups can fail at cybersecurity just as well as traditional contractors (names omitted to protect the guilty).

In transparency unlike most media outlets, the post includes a disclaimer that the following was written by Qadium:

Cybersecurity startup Qadium has been awarded a $37.6 million contract by the U.S. Department of Defense, making it the latest venture-backed startup from Silicon Valley to win a major federal contract over traditional Beltway defense contractors.

Qadium is the first company to provide real-time monitoring of the entire global Internet for customers’ assets. In a new era of machine-speed attacks, Qadium helps the world’s most sophisticated organizations define and secure their dynamic network edge.

The contract was awarded by the U.S. Navy’s Space and Warfare Command after the Department of Defense validated Qadium’s commercial software. Qadium is now recognized among a small handful of cybersecurity providers, with DoD making its software accessible department-wide.

“The Defense Department used to love to build its own IT, often poorly and at high cost to taxpayers,” said Qadium CEO and CIA veteran Tim Junio. “The times are finally changing. In the face of the greatest cybersecurity challenges in our nation’s history, we’re seeing the government and private tech companies coming together, making both sides better off.”

I can name one side that will be better off, to the tune of $37 Million.

Hackers also benefit from this news, Qadium becoming a known target for social engineering and other attention.

August 14, 2018

Process Doppelgänging meets…

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 4:29 pm

Process Doppelgänging meets Process Hollowing in Osiris dropper by hasherezade.

From the post:

One of the Holly Grails for malware authors is a perfect way to impersonate a legitimate process. That would allow them to run their malicious module under the cover, being unnoticed by antivirus products. Over the years, various techniques have emerged in helping them to get closer to this goal. This topic is also interesting for researchers and reverse engineers, as it shows creative ways of using Windows APIs.

Process Doppelgänging, a new technique of impersonating a process, was published last year at the Black Hat conference. After some time, a ransomware named SynAck was found adopting that technique for malicious purposes. Even though Process Doppelgänging still remains rare in the wild, we recently discovered some of its traits in the dropper for the Osiris banking Trojan (a new version of the infamous Kronos). After closer examination, we found out that the original technique was further customized.

Indeed, the malware authors have merged elements from both Process Doppelgänging and Process Hollowing, picking the best parts of both techniques to create a more powerful combo. In this post, we take a closer look at how Osiris is deployed on victim machines, thanks to this interesting loader.

Way beyond my current skill level but it may not be beyond yours.

It also serves as an inspiration/target for a skill level sufficient to read along with a fair degree of understanding.

Enjoy!

Mouse > Sword – High Sierra Hack – 2 lines of code [Brett Kavanaugh documents?]

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 3:30 pm

ex-NSA Hacker Discloses macOS High Sierra Zero-Day Vulnerability by Mohit Kumar.

The gist of the attack:


Patrick Wardle, an ex-NSA hacker and now Chief Research Officer of Digita Security, uncovered a critical zero-day vulnerability in the macOS operating system that could allow a malicious application installed in the targeted system to virtually “click” objects without any user interaction or consent.

To know, how dangerous it can go, Wardle explains: “Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? Click…allowed. Authorize keychain access? Click…allowed. Load 3rd-party kernel extension? Click…allowed. Authorize outgoing network connection? click …allowed.”

Wardle described his research into “synthetic” interactions with a user interface (UI) as “The Mouse is Mightier than the Sword,” showcasing an attack that’s capable of ‘synthetic clicks’—programmatic and invisible mouse clicks that are generated by a software program rather than a human.

Be sure to grab Wardle’s slides for: The Mouse is mightier than the sword.

It’s not a small file (194 MB) but it has goodies like:

and,

Not to mention numerous links and deep analysis of the Mac OS.

Enjoy!

PS: Do you think a current version of High Sierra has access to the files on Supreme Court nominee Brett Kavanaugh? The National Archives and Records Administration says it will take two months to review approximately 1 million records. If dumped, un-edited to the Internet, what? Two weeks? Tops?

To many eyes, all scandals (real or imagined) are transparent.

Man-in-the-Disk – Breaking and Entering Android Phones

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 1:14 pm

New Man-in-the-Disk attack leaves millions of Android phones vulnerable by Swati Khandelwal.

From the post:


Dubbed Man-in-the-Disk, the attack takes advantage of the way Android apps utilize ‘External Storage’ system to store app-related data, which if tampered could result in code injection in the privileged context of the targeted application.

Google itself offers guidelines to Android application developers urging them to use internal storage, which is an isolated space allocated to each application protected using Android’s built-in sandbox, to store their sensitive files or data.

However, researchers found that many popular apps—including Google Translate itself, along with Yandex Translate, Google Voice Typing, Google Text-to-Speech, Xiaomi Browser—were using unprotected external storage that can be accessed by any application installed on the same device.

Khandelwal cites Man-in-the-Disk: A New Attack Surface for Android Apps, which provides this quick summary of the attack:

As the details of this attack may seem complex, let us recap the general outline and ramifications of these shortcomings of Android:

  • An Android device’s External Storage is a public area which can be observed or modified by any other application on the same device.
  • Android does not provide built-in protections for the data held in the External Storage. It only offers developers guidelines on proper use of this resource.
  • Developers anywhere are not always versed in the need for security and the potential risks, nor do they always follow guidelines.
  • Some of the pre-installed and popularly used apps ignore the Android guidelines and hold sensitive data in the unprotected External Storage.
  • This can lead to a Man-in-the-Disk attack, resulting in the manipulation and/or abuse of unprotected sensitive data.
  • Modification to the data can lead to unwelcome results on the user’s device.

Vulnerability pattern: Privileged execution of non-validated data.

Does anyone have a chart of the privileges required by Android apps using External Storage? That would help triage which apps to investigate first.

(Leaving to one side the deliberate creation of an app with high privileges with a plan to later update from External Storage.)

August 13, 2018

Hunting God Modes? [Get Thee to the Patent Office]

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 7:53 pm

God Mode unlocked: Hardware backdoors in x86 CPUs by Christopher Domas.

Domas has discovered a god mode in the VIA C3 Nehemiah chip (2003) by tracing a series of patents.

An impressive bit of work, but its greater importance lies in partially populating search terms to use when looking for similar patents.

Not to mention that confirmation of the existence of a god mode, not rumored, not whispered about, but a corroborated god mode, will encourage other security researchers to seek other god modes in other versions of chips.

There is a non-technical treatment of Domas’ discovery at: Hacker Finds Hidden ‘God Mode’ on Old x86 CPUs by Paul Wagenseil.

It’s a good summary article but be forewarned of Wagenseil’s take on security:


The good news is that, as far as Domas knows, this backdoor exists only on VIA C3 Nehemiah chips made in 2003 and used in embedded systems and thin clients. The bad news is that it’s entirely possible that such hidden backdoors exist on many other chipsets.

Wagenseil has that backwards. Good news would be god modes on all chipsets. Bad news would be god mode is a one-off mistake on the VIA C3 Nehemiah chip (2003). God modes make information security more sporting.

What chip set patents are you going to be researching this week?


Update, 14 August 2018: See the Rosenbridge project at Github for code, etc.

August 5, 2018

Color and Size Steps with Radare2 on Ubuntu 18.04

Filed under: Cybersecurity,Hacking,Radare2 — Patrick Durusau @ 8:46 pm

I mentioned in First Steps with Radare2 on Ubuntu 18.04 that I needed to reset the default colors in Radare2, along with making the font larger.

Itay Cohen, @megabeets_, quickly responded:

Hi Patrick! I read that you had a bit of a struggle with the font colors. Did you know you can change the color theme? Just use “eco “. Screenshots of the different themes are available here: https://r2wiki.readthedocs.io/en/latest/home/themes/#themes. You can also use the Visual Color editor “VE”. Try ‘ec?’

Great way to change displays!

Since I am running XFCE as a desktop, ctrl + and ctrl -, don’t change the terminal font size. (Or at least I’m missing now to make that work in XFCE.)

For the time being, I’m starting r2 in an Emacs shell, which allows me to reset the font size quite easily. With the added advantage of being in Emacs!

Now to try out “eco “.

Several people mentioned that I should try Cutter, the new GUI for Radare2. Going to but I’m comfortable with command line interfaces. Not to mention that experience with the command line will enable me to notice groupings in the GUI.

Chaff Bugs: Deterring Attackers by Making Software Buggier

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 2:20 pm

Chaff Bugs: Deterring Attackers by Making Software Buggier by Zhenghao Hu, Yu Hu, Brendan Dolan-Gavitt.

Abstract:

Sophisticated attackers find bugs in software, evaluate their exploitability, and then create and launch exploits for bugs found to be exploitable. Most efforts to secure software attempt either to eliminate bugs or to add mitigations that make exploitation more difficult. In this paper, we introduce a new defensive technique called chaff bugs, which instead target the bug discovery and exploit creation stages of this process. Rather than eliminating bugs, we instead add large numbers of bugs that are provably (but not obviously) non-exploitable. Attackers who attempt to find and exploit bugs in software will, with high probability, find an intentionally placed non-exploitable bug and waste precious resources in trying to build a working exploit. We develop two strategies for ensuring non-exploitability and use them to automatically add thousands of non-exploitable bugs to real-world software such as nginx and libFLAC; we show that the functionality of the software is not harmed and demonstrate that our bugs look exploitable to current triage tools. We believe that chaff bugs can serve as an effective deterrent against both human attackers and automated Cyber Reasoning Systems (CRSes).

A deeply interesting paper but testing the effectiveness of chaff bugs falls short. The researchers used standard tools to create their estimates of the effectiveness of the chaff bugs. But that isn’t the same as measuring their effectiveness against hackers.

By analogy, consider a team authoring a cracking puzzle and then estimating its difficulty, as opposed to relying on other teams to crack it. Different people, different perspectives, habits, tools, could all make a substantial difference.

Looking forward to seeing this technique appearing in hacking contests.

August 4, 2018

First Steps with Radare2 on Ubuntu 18.04

Filed under: Cybersecurity,Hacking,Radare2 — Patrick Durusau @ 3:19 pm

If you read Reverse Engineering With Radare2, Part 1 by Sam Symons, you will be hot to jump in and start using Radare2!

Of course, like me, you will ignore most of the introduction and quickly search for Radare2, only to encounter an array of installation options, most of which don’t concern you.

Avoid that mistake, follow this link, http://radare.org/r/down.html (yes, same one that Symons has in his post, and follow these directions:

git clone https://github.com/radare/radare2
cd radare2
sys/install.sh # just run this script to update from r2 from git

OK, you need to:

sudo sys/install.sh if you aren’t in a root shell.

Symons points you to course materials for a Modern Binary Exploitation course and their website.

Starting with ./crackme0x00a, you are introduced to the r2 command to open the first challenge.

Presented in a different order, you will encounter:

  • ? – help (append to any command)
  • aa – analyze all
  • cd – change directories
  • pdf – Print disassemble function – pdf@main (simple example)
  • pwd – identify working directory
  • s – seek
  • x – print

I’m working on resetting the colors! Even in a much larger size, this is terribly difficult to read!

That reminds me, there is a book on radare2, imaginatively titled: R2 “Book.” (There is truth to the claim that naming is one of the hardest problems in computer science.)

I got to the end of the first exercise and have some confidence that the Radare2 installation is working properly.

Before going any further, I’m going to experiment with and fix the color display. It’s painful to look at. More on its way!

Enjoy!

August 3, 2018

Browser-based GDB frontend: gdbGUI [With cameo by Thomas Hobbes]

Filed under: .Net,Cybersecurity,gdb,Hacking,Programming,Reverse Engineering — Patrick Durusau @ 8:26 pm

Browser-based GDB frontend: gdbGUI

From the post:

A modern, browser-based frontend to gdb (gnu debugger). Add breakpoints, view stack traces, and more in C, C++, Go, and Rust! Simply run gdbgui from the terminal and a new tab will open in your browser.

Features:

  • Debug a different program in each tab (new gdb instance is spawned for each tab)
  • Set/remove breakpoints
  • View stack, threads
  • Switch frame on stack, switch between threads
  • Intuitively explore local variables when paused
  • Hover over variables in source code to view contents
  • Evaluate arbitrary expressions and plot their values over time
  • Explore an interactive tree view of your data structures
  • Jump back into the program’s state to continue debug unexpected faults (i.e. SEGFAULT)
  • Inspect memory in hex/character form
  • View all registers
  • Dropdown of files used to compile binary, with autocomplete functionality
  • Source code explorer with ability to jump to line
  • Show assembly next to source code, highlighting current instruction. Can also step through instructions.
  • Assembly is displayed if source code cannot be found
  • Notifications when new gdbgui updates are available

While cybersecurity is always relative, the more skills you have, the more secure you can be relative to other users. Or, as Thomas Hobbes observed in De Cive, revised edition, printed in 1760 at Amsterdam, bellum omnium contra omnes, “the war of all against all.” (The quote is found on pages 25-26 of this edition. The following image is from the revised edition, 1647.)

Look to your own security. It is always less valuable to others.

Red Team Tips

Filed under: .Net,Cybersecurity,Hacking,Security — Patrick Durusau @ 2:11 pm

Red Team Tips by Vincent Yiu.

Overview:

The following “red team tips” were posted by myself, Vincent Yiu (@vysecurity) over Twitter for about a year. This is still on-going but I took the opportunity to publish these in one solidified location on my blog. These will be updated ocassionally, but will not be bleeding edge updates. To receive my “red team tips”, thoughts, and ideas behind Cyber attack simulations, follow my Twitter account @vysecurity.

For the full Tweet and thread context (a lot of my followers will comment and give their insights also), visit Twitter.

Collection of three hundred and twenty-nine (329) red team (is there another kind?) tips!

Great way to start the weekend!

Enjoy!

July 29, 2018

When Phishing and “Dropped” USB Fails – Precision Issues in Graphic Libraries

Filed under: Cybersecurity,Security,Subject Identity — Patrick Durusau @ 3:10 pm

Drawing Outside the Box: Precision Issues in Graphic Libraries by Mark Brand and Ivan Fratric, Google Project Zero.

From the post:

In this blog post, we are going to write about a seldom seen vulnerability class that typically affects graphic libraries (though it can also occur in other types of software). The root cause of such issues is using limited precision arithmetic in cases where a precision error would invalidate security assumptions made by the application.

While we could also call other classes of bugs precision issues, namely integer overflows, the major difference is: with integer overflows, we are dealing with arithmetic operations where the magnitude of the result is too large to be accurately represented in the given precision. With the issues described in this blog post, we are dealing with arithmetic operations where the magnitude of the result or a part of the result is too small to be accurately represented in the given precision.

These issues can occur when using floating-point arithmetic in operations where the result is security-sensitive, but, as we’ll demonstrate later, can also occur in integer arithmetic in some cases.

With phishing success rates reported at 90% and the commonly cited 50% of all users who would insert a “found” USB drive in their computer, use of high end hacks is always a fall back position.

The techniques discussed here will be useful for such fall back cases but, the more interesting question to me comes in the conclusion:


When it comes to finding such issues, unfortunately, there doesn’t seem to be a great way to do it. When we started looking at Skia, initially we wanted to try using symbolic execution on the drawing algorithms to find input values that would lead to drawing out-of-bounds, as, on the surface, it seemed this is a problem symbolic execution would be well suited for. However, in practice, there were too many issues: most tools don’t support floating point symbolic variables and, even when running against just the integer parts of the simplest line drawing algorithm, we were unsuccessful in completing the run in a reasonable time (we were using KLEE with STP and Z3 backends).

In the end, what we ended up doing was a combination of the more old-school methods: manual source review, fuzzing (especially with values close to image boundaries) and, in some cases, when we already identified potentially problematic areas of code, even bruteforcing the range of all possible values.

Do you know of other instances where precision errors resulted in security issues? Let us know about them in the comments.

What set of subject identity criteria would enable rough indentification of these issues?

Thoughts?

July 28, 2018

Deep Learning … Wireless Jamming Attacks

Filed under: Cybersecurity,Government,Government Data,Hacking — Patrick Durusau @ 8:25 pm

Deep Learning for Launching and Mitigating Wireless Jamming Attacks by Tugba Erpek, Yalin E. Sagduyu, Yi Shi.

Abstract:

An adversarial machine learning approach is introduced to launch jamming attacks on wireless communications and a defense strategy is provided. A cognitive transmitter uses a pre-trained classifier to predict current channel status based on recent sensing results and decides whether to transmit or not, whereas a jammer collects channel status and ACKs to build a deep learning classifier that reliably predicts whether there will be a successful transmission next and effectively jams these transmissions. This jamming approach is shown to reduce the performance of the transmitter much more severely compared with randomized or sensing-based jamming. Next, a generative adversarial network (GAN) is developed for the jammer to reduce the time to collect the training dataset by augmenting it with synthetic samples. Then, a defense scheme is introduced for the transmitter that prevents the jammer from building a reliable classifier by deliberately taking a small number of wrong actions (in form of a causative attack launched against the jammer) when it accesses the spectrum. The transmitter systematically selects when to take wrong actions and adapts the level of defense to machine learning-based or conventional jamming behavior in order to mislead the jammer into making prediction errors and consequently increase its throughput.

As you know, convenience is going to triumph over security, even (especially?) in the context of military contractors. A deep learning approach may be overkill for low-bid contractor targets but it’s good practice for the occasionally more skilled opponent.

Enjoy!

July 22, 2018

username: 4julian password: $etJulianFree!2Day

Filed under: Cybersecurity — Patrick Durusau @ 8:50 pm

Should Julian Assange lose his freedom, it looks eminent, sysadmins at all levels of corporations, governments and organizations are likely to create new root users:

username: 4julian
password: $etJulianFree!2Day

There’s nothing illegal about creating new users. Happens everyday.

Many have promised impotent and camera mugging expressions of rage as a response to an Assange arrest.

Systems hemorrhaging and continuing to hemorrhage data will have a much greater impact.

Don’t banks, stock exchanges, airports, news media, government, etc., all run on computers? Yes?

All those organizations should be lobbying the US government to leave Assange alone. Let him go freely to whatever destination he chooses. The alternative could be uncontrolled transparency.

« Newer PostsOlder Posts »

Powered by WordPress