Tag RSA

InfoSec Week 39, 2018

Linux had officially committed to implementing and obeying the Code of Conduct — which is immediately misused to remove top Linux coders.
Some of the Linux developers are now threatening to withdraw the license to all of their code.
https://lulz.com/linux-devs-threaten-killswitch-coc-controversy-1252/

Bug in Twitter sent users' private direct messages to third-party developers who were not authorized to receive them. Some brand accounts should be affected.
https://blog.twitter.com/developer/en_us/topics/tools/2018/details-for-developers-on-Account-Activity-API-bug.html

Qualcomm accuses Apple of stealing chip secrets for the purpose of helping Intel overcome engineering flaws in its chips.
https://www.cnbc.com/2018/09/25/qualcomm-accuses-apple-of-giving-its-chip-secrets-to-intel.html

Australian government pushes for the smartphone spyware implanted by Telco vendors, manufacturers.
https://www.brisbanetimes.com.au/business/companies/spyware-on-phone-fears-as-dutton-pushes-new-security-laws-20180924-p505oc.html

At least the sixth backdoor account was removed from Cisco devices this year.
This time it's "hardcoded credentials" in the Cisco Video Surveillance Manager (VSM) Software.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180921-vsm

ESET researchers discovered, that the Kodi Media Player add-ons are misused for the cryptocurrency mining malware distribution.
https://www.welivesecurity.com/2018/09/13/kodi-add-ons-launch-cryptomining-campaign/

According to a stackexchange post, "the Chinese police is forcing whole cities to install an Android spyware app Jingwang Weishi.
They are stopping people in the street and detaining those who refuse to install it."
https://security.stackexchange.com/questions/194353/police-forcing-me-to-install-jingwang-spyware-app-how-to-minimize-impact

Researchers proved that the security of PKCS #1 Digital Signatures is as secure as any of its successors like RSA-PSS and RSA Full-Domain.
https://www.schneier.com/blog/archives/2018/09/evidence_for_th.html

There is a novel cache poisoning attack on WiFi by a remote off-path mitm attack vector.
Takes only 30 seconds and is using interesting multi-packet injection for timing side channel inference for injection. Works on Windows, OSX and Linux.
https://www.usenix.org/conference/usenixsecurity18/presentation/chen-weiteng

InfoSec Week 15, 2018

The U.S. Secret Service is warning about a new scam scheme where the crooks are intercepting new debit cards in the mail and replace the chips on the cards with chips from old cards. Once owners activate the cards, crooks will use stolen chips for their financial gain.
https://krebsonsecurity.com/2018/04/secret-service-warns-of-chip-card-scheme/

Russian state regulator Roskomnadzor have ordered to block the Telegram messaging application 48 hours after it missed a deadline to give up encryption keys to the online conversations of its users. I am not sure whether the Telegram protocol is actually blocked in Russia now.
https://phys.org/news/2018-04-russian-block-telegram-messaging-app.html

A new Android P version will enforce applications to communicate over TLS secured connection by default.
https://android-developers.googleblog.com/2018/04/protecting-users-with-tls-by-default-in.html

Kudelski Security published a walk-through guide about Manger's attack against RSA OAEP. 1-bit leak from oraculum suffices to decrypt ciphertexts.
https://research.kudelskisecurity.com/2018/04/05/breaking-rsa-oaep-with-mangers-attack/

In depth article about stealing FUZE credit card content via Bluetooth.
https://blog.ice9.us/2018/04/stealing-credit-cards-from-fuze-bluetooth.html

Understanding Code Signing Abuse in Malware Campaigns. Pretty good statistics.
https://blog.trendmicro.com/trendlabs-security-intelligence/understanding-code-signing-abuse-in-malware-campaigns/

There is a vulnerability that results in a bypass of a tamper protection provided by the Sophos Endpoint Protection v10.7. Protection mechanism can be bypassed by deleting the unprotected registry key.
http://seclists.org/fulldisclosure/2018/Apr/6

Several vulnerabilities have been found in the Apache HTTPD server. Update now.
http://seclists.org/bugtraq/2018/Apr/6

Microsoft Windows tool certutil.exe for displaying certification authority information can be used to fetch data from the internet in the similar fashion like WGET or CURL.
https://isc.sans.edu/diary/rss/23517

There is a paper about breaking 256-bit security (NIST post-quantum candidate) WalnutDSA in under a minute.
https://eprint.iacr.org/2018/318

Snallygaster - a Tool to Scan for Secrets on Web Servers
https://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html

Nice map of the ongoing Linux kernel defenses. The map shows the relations between the vulnerability classes, current kernel defenses and bug detection mechanisms.
https://github.com/a13xp0p0v/linux-kernel-defence-map

InfoSec Week 51, 2017

There is a remotely exploitable vulnerability in the Vitek CCTV firmware. Reverse netcat shell included.
http://seclists.org/fulldisclosure/2017/Dec/85

Matthew Green thinks that the recently discovered "Extended Random" extension of the RSA’s BSAFE TLS library found in the older Canon printers could be NSA backdoor.
https://blog.cryptographyengineering.com/2017/12/19/the-strange-story-of-extended-random/

Filippo Valsorda presented the key recovery attack against the carry bug in x86-64 P-256 elliptic curve implementation in the Go library. JSON Web Encryption affected.
https://events.ccc.de/congress/2017/Fahrplan/events/9021.html

Explanation how web trackers exploit browser login managers to track users on the Internet.
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

According to the hacker Konstantin Kozlovsky, the creation of WannaCry and Lurk malware was supervised by the Russian FSB agency.
https://www.unian.info/world/2319991-russian-hacker-says-fsb-involved-in-creation-of-wannacry-malware.html

Short blog about the cracking encrypted (40-bit encryption) PDFs using hashcat.
https://blog.didierstevens.com/2017/12/27/cracking-encrypted-pdfs-part-2/

Crooks behind the VenusLocker ransomware to Monero mining. They are executing Monero CPU miner XMRig as a remote thread under the legitimate Windows component wuapp.exe.
https://blog.fortinet.com/2017/12/20/group-behind-venuslocker-switches-from-ransomware-to-monero-mining

Two Romanian hackers infiltrated nearly two-thirds of the outdoor surveillance cameras in Washington, DC, as part of an extortion scheme.
https://lite.cnn.io/en/article/h_910710e71e532e73a80deb1294a2db7c

Proofpoint researchers published paper on largely undocumented LazarusGroup campaigns targeting cryptocurrency individuals and organizations. The research covers implants and tactics not currently covered in the media.
https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new

InfoSec Week 49, 2017

The "Janus" Android vulnerability (CVE-2017-13156) allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. The vulnerability allows attackers to inject malware into legitimate application and avoiding detection.
https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures

According to the research by Hanno Böck, Juraj Somorovsky and Craig Young, the Bleichenbacher’s attack on RSA PKCS#1v1.5 encryption still works on almost 3% of the Alexa top million most visited websites. The researchers were even able to sign a message using Facebook’s private TLS key. Vendors like Citrix, F5, Cisco, and multiple SSL implementations are affected.
https://robotattack.org/

HP had a keylogger in the Touchpad driver, which was disabled by default, but could be enabled by setting a registry value.
https://zwclose.github.io/HP-keylogger/

There is a remote root code execution flaw (CVE-2017-15944) in the Palo Alto Networks firewalls.
http://seclists.org/fulldisclosure/2017/Dec/38

Researchers from the Group-IB spotted the operations of a Russian-speaking MoneyTaker group that stole as much as $10 million from US and Russian banks.
https://securityaffairs.co/wordpress/66591/cyber-crime/moneytaker-group.html

Recorded Future analyzed costs of various cybercriminal services sold on the dark market.
https://www.recordedfuture.com/cyber-operations-cost/

Internet traffic for organizations such as Google, Apple, Facebook, Microsoft, Twitch were briefly rerouted to Russia.
https://bgpmon.net/popular-destinations-rerouted-to-russia/

Microsoft started rolling out an update for Malware Protection Engine to fix a remotely exploitable bug discovered by the British intelligence agency.
https://www.bleepingcomputer.com/news/security/microsoft-fixes-malware-protection-engine-bug-discovered-by-british-intelligence/

Avast open-sources RetDec machine-code decompiler for platform-independent analysis of executable files. It's based on LLVM.
https://blog.avast.com/avast-open-sources-its-machine-code-decompiler

Wireless network sniffer Kismet now supports the DJI DroneID UAV telemetry extensions.
http://blog.kismetwireless.net/2017/11/dji-uav-drone-id.html

Wazuh - Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.
It supports log management and analysis, integrity monitoring, anomaly detection and compliance monitoring.
https://github.com/wazuh/wazuh

Wifiphisher is an automated victim-customized phishing attacks against Wi-Fi clients.
https://github.com/wifiphisher/wifiphisher

InfoSec Week 43, 2017

Researchers from the Masaryk University finally published full paper of the practical cryptographic attack against the implementation of RSA in the widely used trusted platform modules / crypto tokens.
"The Return of Coppersmith’s A‚ttack: Practical Factorization of Widely Used RSA Moduli" https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf

Those guys published an interesting paper about the secure cryptographic computation with the threat model without attackers based on Earth. They are proposing SpaceHSM hardware secure devices on the orbit.
"SpaceTEE: Secure and Tamper-Proof Computing in Space using CubeSats"
https://arxiv.org/abs/1710.01430

There is a small chance that the documents encrypted by Bad Rabbit ransomware could be recovered without paying ransom, if the shadow copies had been enabled in the Windows prior to infection. Victims can restore the original versions of the encrypted files using standard Windows backup mechanism.
For technical analysis of the Bad Rabbit ransomware, see the second link.
https://securelist.com/bad-rabbit-ransomware/82851/
https://www.endgame.com/blog/technical-blog/badrabbit-technical-analysis

Google is going to deprecate the use of pinned public key certificates, public key pinning (PKP), from the Google Chrome browser.
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ

The British government has publicly attributed North Korean government hackers as a source behind the "WannaCry" malware epidemy.
https://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html

Multiple remote execution vulnerabilities (CVE-2017-13089, CVE-2017-13090) were patched in the popular software Wget. Update!
https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html

The source code of an AhMyth Android remote administration tool is available on GitHub. It can steal contact information, turn on camera, microphone, read SMS, and more.
https://github.com/AhMyth/AhMyth-Android-RAT

Malscan is a robust and fully featured scanning platform for Linux servers built upon the ClamAV platform, providing all of the features of Clamscan with a host of new features and detection modes.
https://github.com/jgrancell/malscan

There is an update for the world's fastest and most advanced password recovery utility Hashcat.
https://github.com/hashcat/hashcat/releases/tag/v4.0.0

InfoSec Week 41, 2017

SensePost researchers found out that the Microsoft Office home page is able to compromise user by loading ActiveX component with VBscript.
https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/

Microsoft security department were contacted by a worried user that found 2 seemingly identical µTorrent executables, with valid digital signatures, but different cryptographic hashes. As they have found out there were marketing campaign identifier in "a text file inside a ZIP file inside a PE file, BASE64 encoded and injected in the digital signature of a PE file.". Quite complicated...
https://isc.sans.edu/forums/diary/Its+in+the+signature/22928/

A vulnerability (CVE-2017-15361) in generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips manufactured by Infineon Technologies AG allows for a practical factorization attack, in which the attacker computes the private part of an RSA key. The attack is feasible for commonly used key lengths, including 1024 and 2048 bits, and affects chips manufactured as early as 2012, that are now commonplace.
https://crocs.fi.muni.cz/public/papers/rsa_ccs17

The rolling code in electronic keys for Subaru Forester (2009) and some other models are not random. Keys can be cloned, cars unlocked, with the hardware costs of $25. https://github.com/tomwimmenhove/subarufobrob

Microsoft reintroduced a Pool-based overflow kernel vulnerability on Windows 10 x64 (RS2) Creators Update which was originally patched in 2016. The guys wrote an exploit with rich explanation.
https://siberas.de/blog/2017/10/05/exploitation_case_study_wild_pool_overflow_CVE-2016-3309_reloaded.html
https://github.com/siberas/CVE-2016-3309_Reloaded

Blog about the "Exploding Git Repositories" that will crash your git process.
https://kate.io/blog/git-bomb/

MediaTek and Broadcom Wi-Fi AP drivers have a weak random number generator, allowing prediction of Group Temporal Key. Practical attack requires a LOT of handshakes.
https://lirias.kuleuven.be/bitstream/123456789/547640/1/usenix2016-wifi.pdf

How to hide a process from SysInternals without the admin rights, but with the privilege escalation.
https://riscybusiness.wordpress.com/2017/10/07/hiding-your-process-from-sysinternals/

Adam Langley blogged about the low level testing of the FIDO U2F security keys, namely Yubico, VASCO SecureClick, Feitian ePass, Thetis, U2F Zero, KEY-ID / HyperFIDO.
https://www.imperialviolet.org/2017/10/08/securitykeytest.html

Good introductory blog about the (in)security of Intel Boot Guard. The author also published source code of the UEFITool with visual validation of Intel Boot Guard coverage.
https://medium.com/@matrosov/bypass-intel-boot-guard-cc05edfca3a9 https://github.com/LongSoft/UEFITool

A script that tests if access points are affected by Key Reinstallation Attacks (CVE-2017-13082) was published on a GitHub by researcher Mathy Vanhoef.
https://github.com/vanhoefm/krackattacks-test-ap-ft

The Miscreant is a Misuse-resistant symmetric encryption library supporting the AES-SIV (RFC 5297) and CHAIN/STREAM constructions.
https://tonyarcieri.com/introducing-miscreant-a-multi-language-misuse-resistant-encryption-library
https://github.com/miscreant/miscreant

InfoSec Week 16, 2017

Crooks are already using recently leaked NSA hack tools to exploit thousands of unpatched Windows machines.
https://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/

Bosch Drivelog Connector dongle could allow hackers to halt the engine.
https://argus-sec.com/remote-attack-bosch-drivelog-connector-dongle/

Android MilkyDoor malware lets attackers infiltrate phone's connected networks via Secure Shell (SSH) tunnels.
http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-android-malware-finds-successor-milkydoor/

The Hajime IoT worm is hardening IoT devices (closing open ports for now) to lock out other IoT malware. The code is not weaponised, contains only white hat's message.
https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things

The guy found out how to trade other customers' stocks due to the bad implementation of the iPhone trading app.
https://privacylog.blogspot.ch/2017/04/what-happens-when-you-send-zero-day-to.html

NVIDIA is shipping node.js under the name "NVIDIA Web Helper.exe". As it's signed by the NVIDIA key, the application is whitelisted by Microsoft AppLocker, and can be used for bypassing protection.
http://blog.sec-consult.com/2017/04/application-whitelisting-application.html

Criminals are spreading financial malware using spam emails disguised as a payment confirmation email from Delta Air. Looks genuine. https://heimdalsecurity.com/blog/hancitor-malware-delta-airlines/

Some darkmarket real IP addresses can be found through the Shodan search.
"RAMP (Russian drug market, server in Russia) and Hydra (international drug market, server in Germany) are leaking.Anyone see other big ones?"
https://twitter.com/HowellONeill/status/855550034741309440 https://twitter.com/AlecMuffett/status/855542397165502464

Nice blog about the common mistakes done by developers when using encryption \ secrets.
https://littlemaninmyhead.wordpress.com/2017/04/22/top-10-developer-crypto-mistakes/

Apple File System (APFS), introduced in March 2017, reverse engineered by Jonas Plum.
https://blog.cugu.eu/post/apfs/

WikiLeaks publishes the User Guide for CIA's "Weeping Angel" tool - an implant designed for Samsung F Series Smart Televisions. Based on the "Extending" tool from MI5/BTSS, the implant is designed to record audio from the built-in microphone and egress or store the data.
https://wikileaks.org/vault7/#Weeping Angel

Funny research paper co-authored by Daniel J. Bernstein, "Post-quantum RSA", explores potential "parameters for which key generation, encryption, decryption, signing, and verification are feasible on today’s computers while all known attacks are infeasible, even assuming highly scalable quantum computers".
Funny part is that the actual parameters are "really" practical. Example: "For the 2Tb (256GB) encryption, the longest multiplication took 13 hours, modular reduction took 40 hours, and in total encryption took a little over 100 hours."
https://cr.yp.to/papers/pqrsa-20170419.pdf

A local privilege escalation via LightDM found in Ubuntu versions 16.10 / 16.04 LTS.
http://seclists.org/fulldisclosure/2017/Apr/73

fake sandbox processes (FSP) - script will simulate fake processes of analysis sandbox/VM software that some malware will try to avoid. Windows only. https://github.com/Aperture-Diversion/fake-sandbox