Tag wi-fi

InfoSec Week 2, 2018

New research has found a flaw in a group messaging part of a Signal protocol used by Signal, WhatsApp and Threema. It’s hardly exploitable, but the server (attacker) could be, in some theoretical scenario, able to silently join an encrypted group chat.
https://blog.cryptographyengineering.com/2018/01/10/attack-of-the-week-group-messaging-in-whatsapp-and-signal/

Janit0r, author of the mass internet scanning campaign known as Internet Chemotherapy, released two more blogs about the campaign. Interesting.
http://depastedihrn3jtw.onion.link/show.php?md5=ee7136ac48fa59fba803b9fbcbc6d7b9
http://depastedihrn3jtw.onion.link/show.php?md5=7e7bfe406315f120d8ed325ffb87670b

A tale about the npm package which crawled user entered credit card information from the websites. It is a work of fiction, but published few hours after dozens of npm packages stopped working due to missing dependencies... Scary.
https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

HC7 Planetary Ransomware is probably the first known ransomware asking for Ethereum as a ransom payment. It's for Windows users only.
https://www.bleepingcomputer.com/news/security/hc7-planetary-ransomware-may-be-the-first-to-accept-ethereum/

There is a hardwired network backdoor in the Western Digital MyCloud drives (user: mydlinkBRionyg, password: abc12345cba). Vendor probably patched it six months after reported.
http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125
https://twitter.com/dragosr/status/949822668563365889

Wi-Fi Protected Access III - WPA3 will be forced on a marked this year. Hopefully a lot of security enhancements to wi-fi protocol will be delivered by the WPA3-certified devices.
https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-security-enhancements

Let's Encrypt certification authority has temporarily disabled TLS-SNI-01 authorization challenge due to reported exploitation technique possible on a shared hosting infrastructure.
https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996

Google Cloud security engineers reported remote code execution vulnerability in the AMD Platform Security Processor.
http://seclists.org/fulldisclosure/2018/Jan/12

Brian Krebs wrote a blog about the flourishing online markets with the stolen credentials.
https://krebsonsecurity.com/2017/12/the-market-for-stolen-account-credentials/

VirusTotal has a new feature, a visualization tool for the relationship between files, URLs, domains and IP addresses.
http://blog.virustotal.com/2018/01/virustotal-graph.html

A Meltdown vulnerability proof of concept for reading passwords out of Google Chrome browser.
https://github.com/RealJTG/Meltdown

InfoSec Week 41, 2017

SensePost researchers found out that the Microsoft Office home page is able to compromise user by loading ActiveX component with VBscript.
https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/

Microsoft security department were contacted by a worried user that found 2 seemingly identical µTorrent executables, with valid digital signatures, but different cryptographic hashes. As they have found out there were marketing campaign identifier in "a text file inside a ZIP file inside a PE file, BASE64 encoded and injected in the digital signature of a PE file.". Quite complicated...
https://isc.sans.edu/forums/diary/Its+in+the+signature/22928/

A vulnerability (CVE-2017-15361) in generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips manufactured by Infineon Technologies AG allows for a practical factorization attack, in which the attacker computes the private part of an RSA key. The attack is feasible for commonly used key lengths, including 1024 and 2048 bits, and affects chips manufactured as early as 2012, that are now commonplace.
https://crocs.fi.muni.cz/public/papers/rsa_ccs17

The rolling code in electronic keys for Subaru Forester (2009) and some other models are not random. Keys can be cloned, cars unlocked, with the hardware costs of $25. https://github.com/tomwimmenhove/subarufobrob

Microsoft reintroduced a Pool-based overflow kernel vulnerability on Windows 10 x64 (RS2) Creators Update which was originally patched in 2016. The guys wrote an exploit with rich explanation.
https://siberas.de/blog/2017/10/05/exploitation_case_study_wild_pool_overflow_CVE-2016-3309_reloaded.html
https://github.com/siberas/CVE-2016-3309_Reloaded

Blog about the "Exploding Git Repositories" that will crash your git process.
https://kate.io/blog/git-bomb/

MediaTek and Broadcom Wi-Fi AP drivers have a weak random number generator, allowing prediction of Group Temporal Key. Practical attack requires a LOT of handshakes.
https://lirias.kuleuven.be/bitstream/123456789/547640/1/usenix2016-wifi.pdf

How to hide a process from SysInternals without the admin rights, but with the privilege escalation.
https://riscybusiness.wordpress.com/2017/10/07/hiding-your-process-from-sysinternals/

Adam Langley blogged about the low level testing of the FIDO U2F security keys, namely Yubico, VASCO SecureClick, Feitian ePass, Thetis, U2F Zero, KEY-ID / HyperFIDO.
https://www.imperialviolet.org/2017/10/08/securitykeytest.html

Good introductory blog about the (in)security of Intel Boot Guard. The author also published source code of the UEFITool with visual validation of Intel Boot Guard coverage.
https://medium.com/@matrosov/bypass-intel-boot-guard-cc05edfca3a9 https://github.com/LongSoft/UEFITool

A script that tests if access points are affected by Key Reinstallation Attacks (CVE-2017-13082) was published on a GitHub by researcher Mathy Vanhoef.
https://github.com/vanhoefm/krackattacks-test-ap-ft

The Miscreant is a Misuse-resistant symmetric encryption library supporting the AES-SIV (RFC 5297) and CHAIN/STREAM constructions.
https://tonyarcieri.com/introducing-miscreant-a-multi-language-misuse-resistant-encryption-library
https://github.com/miscreant/miscreant

InfoSec Week 27, 2017

WikiLeaks has published documents detailing two alleged CIA implants, BothanSpy and Gyrfalcon, designed to steal SSH credentials from Windows and Linux.
https://wikileaks.org/vault7/#BothanSpy

Popular article about the background of iPhone Jailbreaking. Really interesting.
https://motherboard.vice.com/en_us/article/8xa4ka/iphone-jailbreak-life-death-legacy

Domains for an authoritative name servers of .io domain was free, so guy registered one, and published blog about the possibility of .io domains takeover.
https://thehackerblog.com/the-io-error-taking-control-of-all-io-domains-with-a-targeted-registration/

The author of the original variant of the Petya ransomware has published the master key via Twitter.
https://twitter.com/JanusSecretary/status/882663988429021184

Security researcher Nitay Artenstein has discovered a serious Broadcom Wi-Fi chip bug CVE-2017-9417.
https://www.bleepingcomputer.com/news/security/broadpwn-bug-affects-millions-of-android-and-ios-devices/

Chinese researchers published an attack on a satellite phone encryption that enable them to decrypt communication encrypted by GMR-2 cipher in real-time.
https://eprint.iacr.org/2017/655.pdf

API Security Checklist is the checklist of the most important security countermeasures when designing, testing, and releasing an online API.
https://github.com/shieldfy/API-Security-Checklist

Horcrux: A Password Manager for Paranoids is an research project and experimental implementation of a highly secure password manager. Credentials are secretshared over multiple servers, the passwords are filled by modifying outgoing POST requests.
https://github.com/HainaLi/horcrux_password_manager
https://export.arxiv.org/pdf/1706.05085

InfoSec Week 15, 2017

Interesting blog about the generic unpacking of the Locky malware using Radare r2pipe, python and the Windows 7 VM.
http://blog.devit.co/unpacking-with-r2pipe/

More information about the Shadow Brokers NSA hacking toolkit dump are coming out after analysis.
Kudelski Security research published the overview of an Equation Group exploitation arsenal for the Windows platform. Good to note, that this dump has also implicated that the NSA compromised a SWIFT system.
https://research.kudelskisecurity.com/2017/04/14/shadow-brokers-april-2017-release-2/
http://securityaffairs.co/wordpress/58006/hacking/nsa-hacked-swift.html

Symantec researchers linked the CIA hacking tools (Vault 7) to a cyber attacks launched in recent years by a Longhorn group gang specialising in the intelligence gathering operations.
https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7
https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/

Black hats have robbed at least 8 ATMs in Russia and stole $800,000 in one night using a ATMitch "fileless" malware.
http://securityaffairs.co/wordpress/57881/cyber-crime/atmitch-fileless-malaware.html

FireEye documented a campaign leveraging the CVE-2017-0199 vulnerability, which enabled attackers to "download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit." It delivers so called FINSPY and LATENTBOT samples, targeting mostly Russian speaking users.
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html https://arstechnica.com/security/2017/04/microsoft-word-0day-was-actively-exploited-by-strange-bedfellows/

I wrote about the Broadcom’s Wi-Fi stack exploit last week, this is the second part of a series of Google Project Zero team.
https://googleprojectzero.blogspot.sk/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html

InfoSec Week 14, 2017

The Cisco Talos team has analyzed ROKRAT remote administration tool targeting South Koreans by spear phishing campaign.
http://blog.talosintelligence.com/2017/04/introducing-rokrat.html

The "rensenWare" ransomware is asking victims to score over 0.2 billion game currency playing the game "Touhou Project - Undefined Fantastic Object”.
http://securityaffairs.co/wordpress/57850/malware/rensenware-ransomware.html

The new BrickerBot malware is performing so called Permanent Denial-of-Service (PDoS) on a IoT device. It's using the same attack vector as a Mirai botnet - bruteforcing ssh passphrase. If succesful, it tries to brick device storage.
https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/

Triada Android malware is using open source DroidPlugin sandbox when running, in order to evade detection.
https://blog.avast.com/mobile-spyware-uses-sandbox-to-avoid-antivirus-detections

The security issue in the Splunk Enterprise allowed a potential attacker to steal data from the authenticated user if she visited a malicious website.
http://seclists.org/fulldisclosure/2017/Mar/89

Google Project Zero demonstrated a Broadcom’s Wi-Fi stack remote code execution exploit on a fully updated Nexus 6P, running Android 7.1.1 version NUF26K.
https://googleprojectzero.blogspot.md/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html

TheShadowBrokers hacking group just leaked the NSA digital weapons package online.
https://github.com/x0rz/EQGRP
https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1

WikiLeaks published documents detailing the Grasshopper framework used by the CIA to create custom Windows malware installers.
Source code of the "Stolen Goods" module contains parts of the leaked Carberp banking trojan source code.
http://www.securityweek.com/wikileaks-details-cia-tool-creating-windows-malware-installers

The Xen Security Team has discovered a security bug in the hypervisor code which, if exploited, can be used for breaking Qubes OS isolation. Exploit chaining required for the full system takeover tough.
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-029-2017.txt

Interesting research about the using antivirus software as a leverage during the attack. "Automatically Inferring Malware Signatures for Anti-Virus Assisted Attacks"
https://www.sec.cs.tu-bs.de/pubs/2017-asiaccs.pdf