Tag encryption

InfoSec Week 49, 2017

The "Janus" Android vulnerability (CVE-2017-13156) allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. The vulnerability allows attackers to inject malware into legitimate application and avoiding detection.
https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures

According to the research by Hanno Böck, Juraj Somorovsky and Craig Young, the Bleichenbacher’s attack on RSA PKCS#1v1.5 encryption still works on almost 3% of the Alexa top million most visited websites. The researchers were even able to sign a message using Facebook’s private TLS key. Vendors like Citrix, F5, Cisco, and multiple SSL implementations are affected.
https://robotattack.org/

HP had a keylogger in the Touchpad driver, which was disabled by default, but could be enabled by setting a registry value.
https://zwclose.github.io/HP-keylogger/

There is a remote root code execution flaw (CVE-2017-15944) in the Palo Alto Networks firewalls.
http://seclists.org/fulldisclosure/2017/Dec/38

Researchers from the Group-IB spotted the operations of a Russian-speaking MoneyTaker group that stole as much as $10 million from US and Russian banks.
https://securityaffairs.co/wordpress/66591/cyber-crime/moneytaker-group.html

Recorded Future analyzed costs of various cybercriminal services sold on the dark market.
https://www.recordedfuture.com/cyber-operations-cost/

Internet traffic for organizations such as Google, Apple, Facebook, Microsoft, Twitch were briefly rerouted to Russia.
https://bgpmon.net/popular-destinations-rerouted-to-russia/

Microsoft started rolling out an update for Malware Protection Engine to fix a remotely exploitable bug discovered by the British intelligence agency.
https://www.bleepingcomputer.com/news/security/microsoft-fixes-malware-protection-engine-bug-discovered-by-british-intelligence/

Avast open-sources RetDec machine-code decompiler for platform-independent analysis of executable files. It's based on LLVM.
https://blog.avast.com/avast-open-sources-its-machine-code-decompiler

Wireless network sniffer Kismet now supports the DJI DroneID UAV telemetry extensions.
http://blog.kismetwireless.net/2017/11/dji-uav-drone-id.html

Wazuh - Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.
It supports log management and analysis, integrity monitoring, anomaly detection and compliance monitoring.
https://github.com/wazuh/wazuh

Wifiphisher is an automated victim-customized phishing attacks against Wi-Fi clients.
https://github.com/wifiphisher/wifiphisher

InfoSec Week 48, 2017

The German Interior Minister is preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations.
https://www.bleepingcomputer.com/news/government/germany-preparing-law-for-backdoors-in-any-type-of-modern-device/

According to the Citizen Lab, Ethiopian dissidents in the US, UK, and other countries were targeted with emails containing sophisticated commercial spyware sold by Israeli firm Cyberbit.
https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/

Elcomsoft wrote an insight about the drastically degraded security of the Apples iOS 11 operating system.
https://blog.elcomsoft.com/2017/11/ios-11-horror-story-the-rise-and-fall-of-ios-security/

Chinese drone maker D.J.I. is potentially sharing collected data with the Chinese government.
https://mobile.nytimes.com/2017/11/29/technology/dji-china-data-drones.html

Crooks are installing cryptocurrency miners by using typosquatting npm package names. They are searching for the unregistered package names with the difference of one bit from a well known packages.
https://medium.com/avahowell/bitsquatting-npm-packages-533c988d568f

Swiftype written a good blog about their infrastructure risk assessment and threat modeling.
https://swiftype.engineering/threat-modelling-and-infrastructure-risk-assessment-at-swiftype-6c1b337c7df1

Nvidia published a paper about the clustering of a benign and malicious Windows executables using neural networks.
https://devblogs.nvidia.com/parallelforall/malware-detection-neural-networks/

Bucket Stream - Find interesting Amazon S3 Buckets by watching certificate transparency logs.
https://github.com/eth0izzle/bucket-stream

Sysdig Inspect – a powerful interface for container troubleshooting and security investigation
https://github.com/draios/sysdig-inspect/

InfoSec Week 41, 2017

SensePost researchers found out that the Microsoft Office home page is able to compromise user by loading ActiveX component with VBscript.
https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/

Microsoft security department were contacted by a worried user that found 2 seemingly identical µTorrent executables, with valid digital signatures, but different cryptographic hashes. As they have found out there were marketing campaign identifier in "a text file inside a ZIP file inside a PE file, BASE64 encoded and injected in the digital signature of a PE file.". Quite complicated...
https://isc.sans.edu/forums/diary/Its+in+the+signature/22928/

A vulnerability (CVE-2017-15361) in generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips manufactured by Infineon Technologies AG allows for a practical factorization attack, in which the attacker computes the private part of an RSA key. The attack is feasible for commonly used key lengths, including 1024 and 2048 bits, and affects chips manufactured as early as 2012, that are now commonplace.
https://crocs.fi.muni.cz/public/papers/rsa_ccs17

The rolling code in electronic keys for Subaru Forester (2009) and some other models are not random. Keys can be cloned, cars unlocked, with the hardware costs of $25. https://github.com/tomwimmenhove/subarufobrob

Microsoft reintroduced a Pool-based overflow kernel vulnerability on Windows 10 x64 (RS2) Creators Update which was originally patched in 2016. The guys wrote an exploit with rich explanation.
https://siberas.de/blog/2017/10/05/exploitation_case_study_wild_pool_overflow_CVE-2016-3309_reloaded.html
https://github.com/siberas/CVE-2016-3309_Reloaded

Blog about the "Exploding Git Repositories" that will crash your git process.
https://kate.io/blog/git-bomb/

MediaTek and Broadcom Wi-Fi AP drivers have a weak random number generator, allowing prediction of Group Temporal Key. Practical attack requires a LOT of handshakes.
https://lirias.kuleuven.be/bitstream/123456789/547640/1/usenix2016-wifi.pdf

How to hide a process from SysInternals without the admin rights, but with the privilege escalation.
https://riscybusiness.wordpress.com/2017/10/07/hiding-your-process-from-sysinternals/

Adam Langley blogged about the low level testing of the FIDO U2F security keys, namely Yubico, VASCO SecureClick, Feitian ePass, Thetis, U2F Zero, KEY-ID / HyperFIDO.
https://www.imperialviolet.org/2017/10/08/securitykeytest.html

Good introductory blog about the (in)security of Intel Boot Guard. The author also published source code of the UEFITool with visual validation of Intel Boot Guard coverage.
https://medium.com/@matrosov/bypass-intel-boot-guard-cc05edfca3a9 https://github.com/LongSoft/UEFITool

A script that tests if access points are affected by Key Reinstallation Attacks (CVE-2017-13082) was published on a GitHub by researcher Mathy Vanhoef.
https://github.com/vanhoefm/krackattacks-test-ap-ft

The Miscreant is a Misuse-resistant symmetric encryption library supporting the AES-SIV (RFC 5297) and CHAIN/STREAM constructions.
https://tonyarcieri.com/introducing-miscreant-a-multi-language-misuse-resistant-encryption-library
https://github.com/miscreant/miscreant

InfoSec Week 40, 2017

There is a great probability that if you used Outlook’s S/MIME encryption in the past 6 months, plaintext of your emails was leaked to the mail exchange because of Outlook S/MIME CVE-2017-11776 vulnerability.
https://www.sec-consult.com/en/blog/2017/10/fake-crypto-microsoft-outlook-smime-cleartext-disclosure-cve-2017-11776/index.html

The Kaspersky anti-virus was allegedly stealing NSA secrets using a silent signature mode that detected classified documents. Israel hacked the Kaspersky, and notified the NSA.
https://www.washingtonpost.com/world/national-security/israel-hacked-kaspersky-then-tipped-the-nsa-that-its-tools-had-been-breached/2017/10/10/d48ce774-aa95-11e7-850e-2bdd1236be5d_story.html
https://www.wsj.com/articles/russian-hackers-scanned-networks-world-wide-for-secret-u-s-data-1507743874

A custom OxygenOS Android fork that comes installed on all OnePlus smartphones, is tracking users, allowing OnePlus to connect each phone to its customer.
https://www.chrisdcmoore.co.uk/post/oneplus-analytics/

Chromebooks and Chromeboxes are affected by a bug in certain Infineon Trusted Platform Module (TPM) firmware versions. RSA keys generated by the TPM being vulnerable to a computationally expensive attacks. Targeted attacks are possible.
https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update

KovCoreG hacking group used advertising network on Pornhub to redirect users to a fake browser update websites that installed malware.
https://www.proofpoint.com/us/threat-insight/post/kovter-group-malvertising-campaign-exposes-millions-potential-ad-fraud-malware

Apple released a security patch for macOS High Sierra 10.13 to fix vulnerabilities in the Apple file system (APFS) volumes and Keychain software. The patch also addresses a flaw in the Apple file system that exposes encrypted drive’s password in the hint box.
http://securityaffairs.co/wordpress/63896/hacking/apple-file-system-flaw.html

Yet another part of the reverse engineering blog post series analyzing TrickBot with IDA.
https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-3-core

Keybase has launched a nice new feature - encrypted Git. There are no services like website, pull requests, issue tracking or wiki, just simple git. Encrypted.
https://keybase.io/blog/encrypted-git-for-everyone

InfoSec Week 38, 2017

The ZNIU Android malware is exploiting Linux kernel "Dirty COW" vulnerability to install itself on a device and collect money through the SMS-enabled payment service.
http://blog.trendmicro.com/trendlabs-security-intelligence/zniu-first-android-malware-exploit-dirty-cow-vulnerability/

Good introduction blog into the art of binary fuzzing and crash analysis demonstrated by fuzzing famous open-source Mimikatz software.
https://www.sec-consult.com/en/blog/2017/09/hack-the-hacker-fuzzing-mimikatz-on-windows-with-winafl-heatmaps-0day/index.html

Security researcher Inti De Ceukelaire has gained access to company team pages by exploiting faulty business logic in popular third-party on-line helpdesks.
https://medium.freecodecamp.org/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c

Server part of the Wire end-to-end encrypted instant messenger application is now open-source, but there are lots of external dependencies and no documentation yet.
https://medium.com/@wireapp/wire-server-code-now-100-open-source-the-journey-continues-88e24164309c

A brief description behind the technology of a private contact discovery used in Signal messenger.
https://signal.org/blog/private-contact-discovery/

X41 IT Security company has released an in-depth analysis of the three leading enterprise web browsers Google Chrome, Microsoft Edge, and Internet Explorer.
https://github.com/x41sec/browser-security-whitepaper-2017

A nice list of a various open-source honeypot projects available on-line.
https://www.smokescreen.io/practical-honeypots-a-list-of-open-source-deception-tools-that-detect-threats-for-free/

SigThief - The script that will rip a signature off a signed PE file and append it to another one, fixing up the certificate table to sign the file. It's not a valid signature BUT it's enough for some anti-viruses to flag the executable as trustworthy.
https://github.com/secretsquirrel/SigThief

InfoSec Week 36, 2017

The security researcher Pierre Kim has discovered ten critical zero-day vulnerabilities in D-Link routers.
https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html

There is a new research paper published on a security of a Bluetooth stack named "The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks." Really alarming vulnerabilities discussed.
From a paper: "BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure “air-gapped” networks, and spread malware to other devices. The attack does not require the targeted device to be set on discoverable mode or to be paired to the attacker’s device."
http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf

FireEye has analyzed a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability leveraged by attackers to distribute notoriously known FinFisher / FINSPY malware.
I have included exploit example that is published on a GitHub.
https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html
https://github.com/Voulnet/CVE-2017-8759-Exploit-sample

Kaspersky Labs have analyzed the trend of malicious cryptocurrency mining practices on an infected machines.
https://securelist.com/miners-on-the-rise/81706/

The Android BankBot malware found on Google Play store is targeting multiple UAE banking applications.
http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-play-targets-ten-new-uae-banking-apps

Good analysis of how the JavaScript framework can be abused to bypass XSS mitigations, specifically NoScript’s XSS filter.
http://blog.portswigger.net/2017/09/abusing-javascript-frameworks-to-bypass.html

NSA had developed the capability to decrypt and decode Kazaa and eDonkey file-sharing apps traffic to determine which files are being shared, and what queries are being performed over those P2P networks.
https://theintercept.com/2017/09/13/nsa-broke-the-encryption-on-file-sharing-apps-kazaa-and-edonkey/

Formally verified implementation of Curve25519 made it into Firefox 57. And it is 20% faster on 64-bit architectures.
https://blog.mozilla.org/security/2017/09/13/verified-cryptography-firefox-57/

A nice curated list of IDA plugins.
https://github.com/onethawt/idaplugins-list

InfoSec Week 34 - 35, 2017

Autodesk A360 cloud-based online storage misused as a delivery platform for multiple malware families.
http://blog.trendmicro.com/trendlabs-security-intelligence/a360-drive-adwind-remcos-netwire-rats/

Brian Krebs has done a good open source intel work on a shadowy past of Marcus Hutchins, author of the popular cybersecurity blog MalwareTech.
https://krebsonsecurity.com/2017/09/who-is-marcus-hutchins/

Wikileaks has published documents about the CIA Angelfire - "persistent framework that can load and execute custom implants on target computers running the Microsoft Windows operating system (XP or Win7)"
https://wikileaks.org/vault7/#Angelfire

ESET has published a research paper about a Gazer, stealth cyberespionage trojan, attributed to the notoriously known Turla group. The group was spreading malware using watering hole and spearphishing campaigns. I cannot find any more direct attribution except the fact that it is targeting "embassies and consulates" which, I believe, are a very common target for every intelligence actor...
https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf

Zimperium Researcher Adam Donenfeld published a proof-of-concept for iOS Kernel Exploit.
https://github.com/doadam/ziVA

Very good analysis of a group chat vulnerabilities in a popular IM applications:
"Insecurities of WhatsApp's, Signal's, and Threema's Group Chats"
https://web-in-security.blogspot.ch/2017/07/insecurities-of-whatsapps-signals-and.html

Cloudflare's blog post about a quantum resistant supersingular isogeny Diffie-Hellman key agreement used in TLS 1.3.
https://blog.cloudflare.com/sidh-go/

A Phrack-style paper on research into abusing Windows token privileges for escalation of privilege. Deep down the rabbit hole.
https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt

Security researchers at Positive Technologies have discovered an undocumented configuration setting that disables the Intel Management Engine.
http://securityaffairs.co/wordpress/62470/hacking/intel-management-engine-kill-switch.html

InfoSec Week 27, 2017

WikiLeaks has published documents detailing two alleged CIA implants, BothanSpy and Gyrfalcon, designed to steal SSH credentials from Windows and Linux.
https://wikileaks.org/vault7/#BothanSpy

Popular article about the background of iPhone Jailbreaking. Really interesting.
https://motherboard.vice.com/en_us/article/8xa4ka/iphone-jailbreak-life-death-legacy

Domains for an authoritative name servers of .io domain was free, so guy registered one, and published blog about the possibility of .io domains takeover.
https://thehackerblog.com/the-io-error-taking-control-of-all-io-domains-with-a-targeted-registration/

The author of the original variant of the Petya ransomware has published the master key via Twitter.
https://twitter.com/JanusSecretary/status/882663988429021184

Security researcher Nitay Artenstein has discovered a serious Broadcom Wi-Fi chip bug CVE-2017-9417.
https://www.bleepingcomputer.com/news/security/broadpwn-bug-affects-millions-of-android-and-ios-devices/

Chinese researchers published an attack on a satellite phone encryption that enable them to decrypt communication encrypted by GMR-2 cipher in real-time.
https://eprint.iacr.org/2017/655.pdf

API Security Checklist is the checklist of the most important security countermeasures when designing, testing, and releasing an online API.
https://github.com/shieldfy/API-Security-Checklist

Horcrux: A Password Manager for Paranoids is an research project and experimental implementation of a highly secure password manager. Credentials are secretshared over multiple servers, the passwords are filled by modifying outgoing POST requests.
https://github.com/HainaLi/horcrux_password_manager
https://export.arxiv.org/pdf/1706.05085

InfoSec Week 16, 2017

Crooks are already using recently leaked NSA hack tools to exploit thousands of unpatched Windows machines.
https://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/

Bosch Drivelog Connector dongle could allow hackers to halt the engine.
https://argus-sec.com/remote-attack-bosch-drivelog-connector-dongle/

Android MilkyDoor malware lets attackers infiltrate phone's connected networks via Secure Shell (SSH) tunnels.
http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-android-malware-finds-successor-milkydoor/

The Hajime IoT worm is hardening IoT devices (closing open ports for now) to lock out other IoT malware. The code is not weaponised, contains only white hat's message.
https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things

The guy found out how to trade other customers' stocks due to the bad implementation of the iPhone trading app.
https://privacylog.blogspot.ch/2017/04/what-happens-when-you-send-zero-day-to.html

NVIDIA is shipping node.js under the name "NVIDIA Web Helper.exe". As it's signed by the NVIDIA key, the application is whitelisted by Microsoft AppLocker, and can be used for bypassing protection.
http://blog.sec-consult.com/2017/04/application-whitelisting-application.html

Criminals are spreading financial malware using spam emails disguised as a payment confirmation email from Delta Air. Looks genuine. https://heimdalsecurity.com/blog/hancitor-malware-delta-airlines/

Some darkmarket real IP addresses can be found through the Shodan search.
"RAMP (Russian drug market, server in Russia) and Hydra (international drug market, server in Germany) are leaking.Anyone see other big ones?"
https://twitter.com/HowellONeill/status/855550034741309440 https://twitter.com/AlecMuffett/status/855542397165502464

Nice blog about the common mistakes done by developers when using encryption \ secrets.
https://littlemaninmyhead.wordpress.com/2017/04/22/top-10-developer-crypto-mistakes/

Apple File System (APFS), introduced in March 2017, reverse engineered by Jonas Plum.
https://blog.cugu.eu/post/apfs/

WikiLeaks publishes the User Guide for CIA's "Weeping Angel" tool - an implant designed for Samsung F Series Smart Televisions. Based on the "Extending" tool from MI5/BTSS, the implant is designed to record audio from the built-in microphone and egress or store the data.
https://wikileaks.org/vault7/#Weeping Angel

Funny research paper co-authored by Daniel J. Bernstein, "Post-quantum RSA", explores potential "parameters for which key generation, encryption, decryption, signing, and verification are feasible on today’s computers while all known attacks are infeasible, even assuming highly scalable quantum computers".
Funny part is that the actual parameters are "really" practical. Example: "For the 2Tb (256GB) encryption, the longest multiplication took 13 hours, modular reduction took 40 hours, and in total encryption took a little over 100 hours."
https://cr.yp.to/papers/pqrsa-20170419.pdf

A local privilege escalation via LightDM found in Ubuntu versions 16.10 / 16.04 LTS.
http://seclists.org/fulldisclosure/2017/Apr/73

fake sandbox processes (FSP) - script will simulate fake processes of analysis sandbox/VM software that some malware will try to avoid. Windows only. https://github.com/Aperture-Diversion/fake-sandbox

InfoSec Week 2, 2017

Brother and sister arrested in Italy for spying on top public officials, businessmen and institutions. They wrote a VB.NET malware with RAT / spyware features. They infected high level targets via spear-phishing and pivoted on their email to infect more higher level targets. They had terrible OPSEC, bought some domains and hosting with real names.
http://www.telegraph.co.uk/news/2017/01/10/italian-brother-sister-arrested-cyber-espionage-operation-tapped/ https://jekil.sexy/blog/2017/eyepyramid-i-forgot-to-do-myhomework.html

BuzzFeed article about Trump claims that the Russian Security Service FSB has "capabilities" against the Telegram messaging app. Security researcher Frederic Jacobs wrote about this back in April 2016.
https://www.fredericjacobs.com/blog/2016/04/29/more-on-sms-logins/ https://twitter.com/i/web/status/819127046588813313 https://www.buzzfeed.com/kenbensinger/these-reports-allege-trump-has-deep-ties-to-russia

At 33rd Chaos Communication Congress, security researcher Claudio Guarnieri launched open initiative "Security Without Borders". "Security Without Borders will provide digital security assistance to organizations to harden infrastructure against attacks, perform incident response to secure organizations, engage in public education, and produce research on the threats posed to activists. Among our members we count penetration testers, malware analysts, reverse engineers, vulnerability researchers, and software developers."
https://securitywithoutborders.org/ https://medium.com/security-without-borders/transmission-1-7eaae7bc8caf

3 BYTES long RSA key secures implanted cardiac devices, and yes, it's also backdoored. As Matthew Green said on Twitter: "But in case 24-bit RSA isn't bad enough, the manufacturers also included a hard-coded 3-byte fixed override code. I'm crying now." Public statement: "The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks."
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm http://money.cnn.com/2017/01/09/technology/fda-st-jude-cardiac-hack/index.html

Security company Emsisoft spotted a new ransomware named Spora, that allows potential victims to pay for immunity from future attacks. From the article: "You can choose to only recover your files or pay for removal of the ransomware and immunity from future attacks at an extra cost." It has also very interesting intel gathering technique, which is later used for the monetisation.
http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/

Google has released a toolkit for a transparent and secure way to look up public keys. "Key Transparency can be used as a public key discovery service to authenticate users and provides a mechanism to keep the service accountable." This solves an open problem in messaging.
https://github.com/google/key-transparency/

Company E-Sports Entertainment Association refused to pay $100,000 to hackers, so they published customer dataset online.
http://fortune.com/2017/01/10/hackers-havoc-ransomware-esea/

Popular browsers and extensions can be tricked into leaking private information using hidden text boxes. https://github.com/anttiviljami/browser-autofill-phishing

Fake "Migrant Helpline" donations emails delivers malware.
https://myonlinesecurity.co.uk/spoofed-migrant-helpline-donations-delivers-malware/


Page 1 / 2