Security Roundup - 2016-05-18

With the new season of Mr. Robot on the way, fans are giving the site some additional security scrutiny. One user found an XSS vulnerability that would allow a malicious actor to harvest Facebook profile information, while another found a blind sql injection allowing access to a collected mailing list.

Who hacks the hackers? I am not sure, but hacker forum Nulled.io was hacked recently and their information dumped. On initial review, it appears that the software powering their site might have suffered from numerous vulnerabilities that were not addressed.

Cloudflare has an article on blind sql injection via User Agent parameter. In this case, the injection vector asks the database to sleep for a period of time. An attacker knows that the injection has worked if the web request returns after the period of time in which they have tried to make the database sleep. Once sql injection is confirmed, an attacker can use things like try to enumerate users passively or, if something like blogging software with a known DB structure, do a query to inject database values into a comments table for retrieval.

DarkReading has an interesting article on ‘10 Years Of Human Hacking’, further detailing how easy it is to get users to plug in malware laden USB drives. One story involves a marketing department taking a box worth of infected USB devices (part of a pen test) to a conference to use as giveaways.

IBM is teaching Watson to fight crime. Cybercrime, that is. Teaming up with a number of universities, the plan involves feeding security datapoints into Watson, so that Watson can learn, and start to detect patterns and emerging threats.

Biometrics followup. The FBI doesn’t feel that privacy laws should apply to their ever growing biometrics database. Meanwhile, some researchers from Binghamton University have designed a new biometric, brainwaves. Their technique involves the brain response to a series of images, which they currently feel is 100% accurate. As this biometric is influenced by external stimuli, it has the added advantage in that it can be changed. The downside? Currently needing at least 27 images (at one image per second), oh and having to wear a cap of electrodes in order to measure the response.

Those interested in learning more about ‘ransomware-as-a-service’ will probably be interested in Checkpoint’s great rundown of the Nuclear Exploit Kit. Nuclear allows anyone willing to pay to launch ‘malware campaigns’, complete with fancy dashboards and statistics.

Attackers continue to exploit point of sale terminals, starting with Wendy’s owning up to a major data breach targeting their POS system. Said breach ‘only’ impacted a secondary POS system at 5% of their North American restaurants, but had major impact to several credit unions who had previously reported fraud stemming from Wendy’s customers. Meanwhile, Fireye recently discovered an exploit for Windows based POS terminals, which they dub ‘Punchbuggy’, which would have allowed full access to the PoS system. Is it any surprise that the PCI Security Standards Council will be requiring better security measures for companies that accept payment information.

What I Learned At My First CTF

The other day, my company ran a ‘Capture The Flag’ exercise, where developers attempted to complete a series of hacking challenges against a running server (set up by our Chief Research Officer).

The majority of the exercise revolved around application security, where the attacker would gain more and more information to gain further and further access.

To start, we were asked to identify what sofware the site was running. A quick look at the page source of the site showed the following:

<meta name="generator" content="Drupal 7 (http://drupal.org)" />

making it easy to determine that the site was running Drupal. With that in hand, I was able to use online scanning software to identify the exact version was 7.31 (apparently contained in a changelog that is sitting accessible).

A quick search for ‘Drupal 7.31 cve’ brought me to Exploit DB which handily contained a python script which allowed me to create an admin user in Drupal and log in to the server.

The next challenge was to try to identify users on the machine and passwords to things like databases. I spent a bunch of time poking around and trying to figure this out until I realized that Drupal, by default, allows content to be rendered as PHP. From the docs:

Body: where you put the text for the page. The "Input format" controls what 
code can go in the Body field. There are three default options: filtered HTML, 
PHP code, and full HTML.

With the ability to execute PHP, this made a few tasks pretty easy. I was able to leverage code execution to enumerate file paths on the server, and then open and render specific files. Of note was the settings.php file of Drupal to gather information on the database, as well as list the /home directory to learn more about some users.

The next step was to essentially obtain access to the machine itself, which I did not figure out in the time alloted, but I believe would build on the basis that I can potentially write files to the file system using PHP. Perhaps trying to add my own public key to a user’s .ssh folder? Or perhaps trying to create a reverse shell? The next CTF will tell.

Security Roundup - 2016-05-11

Verizon released their yearly Data Breach Investigations Reports. The Rapid 7 Community has a pretty good writeup. Reading the report has some interesting information:

  • Server assets being the cause of breaches is declining. Breaches due to people and their devices as the weak link is continuing to rise.
  • Breaches are more often than not discovered by third parties.
  • Webapp breaches have increased dramatically, which should be unsurprising given the easy of drive by scans and exploits.
  • Crimeware decreased drastically in 2015 (though this year’s ransomware reports lead me to believe it will be more prevalent in the next report)

The report also focuses on a few factors as primary points of vulnerability:

  • Patching Cadence - how long between a vulnerability being discovered and exploits being developed vs the time it takes organizations to upgrade/mitigate.
  • Social Engineering - phishing attacks are still highly effective.
  • Passwords - 63% of breaches apparently involve leaked/reused/weak passwords.

Related to the ease of drive by exploits, one anonymous user recently decided to scan for open VPC ports and make use of the screenshot facility to take some pictures. Among things found appear to be security systems, checkout systems, and desktops.

ImageTragick made the rounds this week, which results in ImageMagick running code embedded in certain image formats, as well as being able to do file manipulation on the system such as moving/deleting/reading files. Cloudflare has an article detailing usages they have seen in the wild starting at recon and escalating to attempted server takeover. Sucuri has seen some similar exploits.

Warby Parker recently decided to test their Cyber Security Response time, by staging a site takedown. Much fun was had by the ‘attackers’, practice was had, and lessons were learned.

Last week, there was news to the effect that millions of email addresses were leaked. This turned out not to be the case, with various email providers declaring the majority of the information was bogus. Troy Hunt (who is behind haveibeenpwned.com), goes into depth on how he does validation on data leaks, rather than just accept them at face value.

ThreatPost has some good ransomware articles, including a post on ‘Ransomware as a Service’, ‘A Diary of a Ransomware Victim’, where a casino’s consultant had no security precautions and allowed TeslaCrypy to spread rapidly through the network, and an update on the Bucbi ransomware which is being used as a targeted attacks, rather than randomly seeking targets.

Malwarebytes has a very in depth analysis of the 7ev3n ransomware variant. After completely reverse engineering, they were able to tell the implementor designed their own custom crypto mechanism, making it easier to recover files.

A few months ago, I mentioned people performing man in the middle attacks between free standing ATMs and networks. This week I’ve learned that sophisticated skimmers can actually be inserted into the card reader slot.

Security Roundup - 2016-05-04

One engineer recently found ‘Shellshock’ style user agent strings in his log files. After investigation, he realized that an attacker was using someone’s unsecured log files as a blind drop for scanning results.

Apparently, a few years ago, someone set up a project to try and find common factors in RSA PGP keys. Last year, they started processing keys from the public keyserver dataset. To date, they have found over 200 broken keys and 2000 keys with suspicious characteristics, including keys from Apple, Product Security, Nasa, and The Pirate Party. These keys contain things like non-prime factors and shared factors, where if you take 2 keys with one known shared factor, you can figure out the second (and thus generate a private key). This could either be due to poor sources of entropy or deliberately crippled PGP implementations.

The Verge has a good article on why fingerprints are not good for authentication. Among other things: The government has a giant database of fingerprints (mine have been scanned when traveling back and forth from Canada), and thus are leak-able. Unlike passwords, changing fingerprints (and other biometrics) is pretty hard and we leave our fingerprints everywhere. If anything, biometrics are more akin to a username then they are to a password.

Some security researchers recently realized that Slack API tokens were checked in to Github repositories. They quickly realized they could gain access to a lot of sensitive information, including passwords. Slack has indicated they are now scanning Github and revoking found tokens, similar to what other services like Amazon currently do.

In a follow up on the recent story of how quickly people plug in random USB keys, Infosecurity Magazine has an article on how the American Dental Association accidentally spread malware via USB keys they had manufactured.

After 100 breaches, Have I Been Pwned has had breach data submitted by the breached company, rather than finding the data online. A similar service, Pwnedlist, has recently had a major security vulnerability communicated to them, and has decided to shut down their public site.

Security Roundup - 2016-04-27

Apparently, the Bangladash Bank was hacked recently, and almost taken for $1 billion dollars! The attack vector? Cheap network switches, providing neither a firewall or the ability to logically separate network traffic.

The personal info of 93.4 Million Mexicans recently occurred due to a publicly exposed database.

In security, humans are the weakest element. In order to make security training more interesting and memorable, one company has started ‘Game Of Threats’ where teams compete against each other in a game to learn more about what threats organizations face.

AV products are introducing ‘sandboxing’, where they isolate a process from the rest of the system and monitor for bad behavior before allowing it to be run. Nettitude has an interesting write up on how they broke out of Avast’s Sandbox.

PeerLyst goes over some lesser known options to unregister windows functions actually allows you to trigger remote code execution.

Or how about one hackers journey to claim a Facebook bug bounty led them to find a number of vulnerabilities in a product Facebook uses? Also found: Webshells from previous attackers.

Ars has an interesting article on the ‘Nuclear’ Exploit Kit. I found it interesting about how it uses user agents to tailor payload and/or to evade detection.

Page 19 of 23