Monthly Archives: January 2016

EncFSGui – GUI Wrapper around encfs for OSX

Introduction 3 weeks ago, I posted a rant about my frustration/concern related with crypto tools, more specifically the lack of tools to implement crypto-based protection for files on OSX, in a point-&-click user-friendly way.  I listed my personal functional and technical criteria for such tools and came to the conclusion that the industry seem to […]

Swatting airports helpdesks diverts the attention of anti-terror forces on the Indian Republic Day

26th January, the Indian Republic Day, was targeted by ISIS operatives to stage multiple terror strikes designed to cause terror and panic in major Indian cities. The Indian intelligence and police agencies over the last few weeks successfully nabbed ISIS operatives foiling major terror plots in the run up to the 26th.

With tensions running high, and the anti-terror squads under full alert, a mentally disturbed man swatted airport and railway helpdesks claiming that bombs would go off on Mumbai-bound flights, and cars stuffed with explosives would blow up at the airports and the Pune Railway Station.  Wikipedia describes swatting as an act of deceiving an emergency service (via such means as hoaxing an emergency services dispatcher) into dispatching an emergency response based on the false report of an ongoing critical incident.

The man who was later apprehended had made four calls made over two days to airports and railway stations claiming that there was a car packed in the airport vicinity loaded with explosives or that a person onboard a flight was carrying a bomb in his hand luggage. This ensured that over 200 policemen were diverted from deterring real terrorists to comb these routes and flights. One flight was delayed and another diverted mid-air to the nearest airport for an anti-sabotage check.

While swatting is relatively new in India, it is quite common in the US. Swatting may occur for pranks, online harassment or even for revenge. Recently Skype introduced a patch which protected the privacy of a callers IP address, a flaw which could be exploited to launch swat teams on rival gamers using IP geolocation. 

Such acts are akin to terrorism  and punishable as a crime because of  its potential to cause disruption, waste the time of emergency services, divert attention from real emergencies and possibly cause injuries and psychological harm to persons targeted. Cybercitizens are advised not to make prank calls for whatever reasons as the joke may turn into a long ugly jail term

CVE-2015-8651 (Flash up to 20.0.0.228/235) and Exploit Kits





While other exploit kit are struggling to keep up with Angler (none is firing CVE-2015-8446 , maybe because of the Diffie-Hellman protection on Angler's exploits ),
- Nuclear / Magnitude and Neutrino last exploits are from October (CVE-2015-7645)
- RIG and Sundown are relying on July exploits (Hacking Team's one - CVE-2015-5122)
( all have the IE CVE-2015-2419 from august)

Angler has just integrated CVE-2015-8651 patched with Flash 20.0.0.270 on 2015-12-28

Angler EK : 2016-01-25
The exploit might be here since the 22 based on some headers modification which appeared that day.
It's not yet pushed in all Angler EK threads but widely spread.
Thanks Anton Ivanov (Kaspersky) for CVE Identification !

CVE-2015-8651 (and CVE-2015-2419) being successfully exploited by Angler EK to load bedep in memory
2016-01-25
Fiddler sent to VT.
---
Another pass via the "noisy" Cryptowall "crypt13x" actor which threads also has it :

CVE-2015-8651 being successfully exploited by Angler EK to load Cryptowall  (crypt13001)
from the widely spread and covered "crypt13x" actor thread - 2016-01-25

(Out of Topic payload : 5866906a303b387b9918a8d7f8b08a51 Cryptowall crypt13001 )

I have been told by Eset that the exploit is successful on Flash 20.0.0.235 and Firefox.
---
I spotted a thread serving a landing and an exploit to Firefox.
2016-03-23 Firefox pass with Sandbox escape :
Angler EK exploiting CVE-2015-8651 on Firefox 33.1.1 and Flash 20.0.0.305
Bedep successfully wrote its payload on the drive.
2016-03-23
Files : Fiddler in a zip (password malware)

Neutrino :
Thanks Eset for identifying the added CVE here.

Neutrino Exploiting CVE-2015-8651 on 2016-02-09
Here Bunitu dropped
Note: For some reason couldn't have it working with Flash 20.0.0.228.

Files : Fiddler here (password is malware)

Nuclear Pack:

Thanks again Eset for CVE identification here.
Nuclear Pack exploit CVE-2015-8651 on 2016-02-10



Out of topic payload: cdb0447019fecad3a949dd248d7ae30f which is a loader for CloudScout (topflix .info - which we can find in RIG as well those days)

It seems Chrome won't save you if you do let it update.
2016-02-17 on DE/US/FR traffic

This is not something i can reproduce.

Is what i get with Chrome 46.0.2490.71 and its builtin 19.0.0.207 (which should fast update itself to last version)

Files : Fiddler here (password: malware)

Magnitude:
2016-02-18
CVE ID confirmed by Anton Ivanov (Kaspersky)
Magnitude dropping Cryptowall via CVE-2015-8651
2016-02-18
Files : Fiddler here (Password is malware)

RIG :
Some days before 2016-04-06
Thanks FireEye for CVE identification.
CVE-2015-8651 successfuly exploited by RIG on 2016-04-07
Sample in that pass: 4888cc96a390e2970015c9c1d0206011a6fd8e452063863e5e054b3776deae02
( Out of topic payload: 30cb7ed7a67eb08fa2845990b7270d64d51e769d6e0dad4f9c2b8e7551bced0a Probably Godzilla downloader)
Files : RIG_2016-04-07 (swf, payload and Fiddler - password is malware)

Read More:
(GoogleTranslate - via @eromang ) Offshore "Dark Hotel" organization of domestic business executives launched APT attacks - 2015-12-31 - ThreatBook

Post publication reading :
An Analysis on the Principle of CVE-2015-8651 - Antiy Labs - 2016-01-26

For the bored: Infosec Noir

Instead of doing productive things I’ve found a new outlet for self-entertainment, and I seem to be amusing a few others, too.

My newish Twitter account is @InfosecNoir, it is:

“The adventures of Jimmy Black. He decrements the TTLs of cybercriminals so you don't have to.

He has a drinking problem, but only when his glass is empty.”

It is pretty low volume, and is meant to entertain me.  If it entertains you, too, then maybe follow, or just check in occasionally.

Important note: While some of it is autobiographical, and some is “based on true stories”, much is pure fiction.  I’ll admit the first tweet is autobiographical,

image

after that, your guess is as good as mine.  And for the pedantic, it was Atorvastatin, not Lipotor™.  Yay generics.

 

Jack

Cybercitizens, stay away from commenting or liking posts with terror ideologies

Of current global concern is the ease at which terror organizations are able to use social media to spread their ideology and coerce young people living in developed countries to leave all and fight wars in hostile lands. Their success stems from their ability to spin doctor content and communicate in a way that is alluring to young people.  The outcome is brainwashed young people who willing give up their lives, blowing themselves up in crowded areas killing innocent people.

As the death toll mounts so does the pressure on social media companies or online platforms which have given a voice to these terror organization. I do not think that it is difficult to draw a line between free speech and hateful ideology, but every action to sanitize platforms with millions of uploads every minute is bound to cost. These platforms got away through regulations that did not make them liable for content, only to remove it. Which they made harder to do, as they decided to only remove content that violate something obvious like pornography but others which were more specific like defamation, sullying reputation, hate speech was subject to a court order.

Individuals suffered because they had little recourse in erasing sullied reputations online and many countries with a different cultural ideologies had to impose great Internet walls to block content that affected their beliefs.

While it remained a matter of individuals and their sufferings, it scant mattered to the social media companies but now when lives are being lost, and it is a matter of huge public interest; they are under tremendous pressure to get their act right and reduce the ability of these groups from using this platform while still maintaining the privacy of individual users.

I was surprised to see a Davos new headline which stated that Facebook's Sheryl Sandberg: 'likes' can help stop Isis recruiters, was recommending cybercitizens to spread positive messages (counter propaganda) on terror communication, thus drowning out the hate chorus. Will that work, or is it an attempt by social networking companies to resist change. Should not counter propaganda of any sort be organized!

Liking or commenting on such sites brings you in the eye of law enforcement, may sully your reputation and could also make you a target. Rather than people, a bot could do the same work, if the method is effective.  

Instead social media companies should devise technical means to identify and remove harmful content, sites, messages and any other form of small social communication. Identifying patterns of indoctrination through algorithms may not be a very difficult task as the initial indoctrination, I would expect is in plain speech.

Open Live Writer

Oh, hey- bloggy thing.  I know I should blog more, both here and over on my travel drinking blog, but you know…

Open Live Writer

One very nice recent development is that a team at Microsoft has created an Open Source fork of Windows Live Writer.  WLW used to be a really sweet, lightweight WYSIWYG blog tool for Windows- then it got Microsofted and bloaty, then abandoned.  Open Live Writer brings it back from the dead, updates authentication to work with modern platforms, and pulls out a lot of cruft.

It is still early in development, but so far it is working well for me and I do not miss any of the “missing” features.  I’m enjoying the speed and functionality of Open Live Writer, and I’m grateful that some folks at Microsoft have revived this great little tool.  If you are a blogger and Windows user, check it out.

 

Jack

Introducing the PIVOT Project

OK kids, this is cool.  Know a hacker or computer club or school that could use some free, community-contributed labs?

Pivot Cyber Challenges

 

From the website (pivotproject.org):

“People who earn great jobs in cyber security have mastered both academics and hands-on skills.  But where can people with a wide variety of skill levels get hands-on practice with real-world cyber security problems?  On January 12, the PIVOT project goes live to help meet that need. PIVOT makes it possible for students and others, all over the world, to build their hands-on skills in a fun, challenging, real-world cyber environment.  PIVOT provides exciting hands-on labs and challenges for student groups and associated faculty, completely free.  Through a variety of engaging downloadable materials, participants build their hands-on skills to help them pivot from academic studies to their future cyber security careers.”

To kick things off there’s a contest to get things moving and gather feedback:

“We’re launching PIVOT with a special contest and over a dozen prizes so you can help make PIVOT even better.  Prizes include gift cards, club pizza feasts, t-shirts, and more!

To participate in the contest and help us make PIVOT even better, all you need to do is have your group work through your choice of at least two of our current labs, and then have a student leader or faculty member fill out our contest form by February 15, 2016.  The contest form gathers information about your experiences with the labs and recommendations for additional PIVOT challenges.  From all submitted entries, we’ll select the top 5 with the most useful input to receive our grand prizes.  Then, from all submitted entries, we’ll select another 10 at random to receive a prize.”

Please check out PIVOT Project and spread the word, it is off to a great start but now we need to build the community.

 

Jack

Facebook Account Hacked! What To Do Now?


Every single day i get emails in my inbox and on my facebook page from users querying about how to recover hacked facebook account and a common problem i see in all of them is that they are proactive. Everyone searches for Facebook account recovery softwares, Facebook hacking softwares and recovery mechanisms after their facebook or any other email account has been hacked. In this article, Gary suggests methods to identify if your computer or email account has been hacked and methods suggesting what you can do after your facebook account has been hacked.

In today’s digital world, it is unfortunately not uncommon for an account or machine to become compromised by an attacker for nefarious purposes. During your searches for a step-by-step solution, your frustration may hit the breaking point, as you scroll through page after page, listing preventative measures that it may already be too late for. No problem. In today’s article I will outline simple strategies that should get you back in control of your online accounts and devices after a breach is suspected or confirmed. These instructions will be laid out in a manner that should be quite easy for an average user to comprehend and execute. But first, let’s take a minute to understand exactly how this probably happened in the first place.

NOTE: If you are potentially dealing with this situation right now, please skip ahead to the “ What do I do?” section of this article, first. Then be sure to read the rest.

Did I Get Hacked?

You’re browsing around online and suddenly your friends on social media are asking you what these links you keep sending them are, or perhaps your password to an online account has been changed, emails are being sent from your email account, or there is just something strange in your activity log. Do any of these mean that your account has been compromised?

First of all, always assume your account and system have been compromised and take the appropriate measures to secure them, when in doubt. Do not let an attacker maintain a foothold and continue masquerading as you and/or stealing your sensitive data and files, while you come up with excuses to justify unfamiliar activity. Also, while many online services and accounts have a ‘connected devices’, ‘location information’, or ‘login activity’ viewer in their settings, this should never be advised as a sure-fire way to rule out being hacked. There are many ways that these features can be rendered useless - malware can be installed on the user’s machine which sets up an HTTP or SOCKS proxy on the machine of the user, session cookies can be stolen, and even the online account settings themselves can be manipulated or even flawed to cover malicious activity. Secure your accounts and system, anyway, just to be safe. It may be time consuming, but it is far better than waiting around for something bad to happen.

How Does This Happen (Methods To Hack Facebook Account)?

There are many methods which attackers deploy to breach online accounts of their victims. This is not meant to be an instruction manual or even a comprehensive list of every way an attacker can possibly compromise your system, accounts, and/or online services. This is just an overview of the most common real-world techniques that are actually being deployed. If you’ve been hacked, chances are good that it was done by a combination of the techniques listed below.

There are Man-In-The-Middle Attacks which capture data packets from the victim machine and store them, before sending them along to the proper destination. There’s Phishing, where an attacker convinces you to sign in to your account via a fake login page, then steals your credentials. Sometimes websites themselves are hacked via sql injection methods that dump the entire database of usernames and password hashes… these same username/password combinations are then attempted on many various sites, since a lot of users use the same login credentials across many websites and services. Then there is potentially the most dangerous… malware can be installed on the victim machine which can do anything from logging keystrokes, to remotely browsing the filesystem, to opening a remote shell, or even spying on the users via their webcams and microphones.

The malicious hacker’s toolbox of techniques is always evolving and changing to meet changes in security practice and while there are other ways accounts can be compromised, most real-world hacks are a combination of some of the techniques listed above.

“What Do I Do?”

I would like to divide this into three sections, as each are important. Secure Your Accounts and Services, Secure Your Machines and Devices, and Damage Control. You don’t know for sure how much of a foot-hold an attacker has or how long they have had it, before you realized or became suspicious. So assume everything has been compromised and secure each of them, as they may be used by an attacker to later re-compromise what you have secured.

Secure Your Facebook Accounts and Online Services

You must change the passwords to all your online accounts and services that you use. Even the ones that you don’t recall using sensitive data on. This practice should obviously be prioritized, beginning with the account that you notice suspicious activity on.

Then quickly change your associated email accounts, as these can usually be used to reset the passwords to your other accounts. Be sure to ‘logout active sessions’ or connected devices, if your service has this feature. If so, you will probably be asked or prompted with it, during the password reset process.

Do not use the same passwords across different sites or services. Go to the security settings of each site or service and activate every notification you possibly can for login attempts and activity Enable two-factor authentication. Make it a pain in the ass to login if you must. Remember that ease of use and convenience are simply open doors for many others.

Then, after you have secured your devices, go through and do a final sweep of password changes. This final step is due to the fact that, if malware is installed on your device, an attacker could potentially be watching you change all your passwords the first time.

Also, follow your website, social media, or other online service’s specific guidelines for reporting unusual behavior and securing your accounts. They most likely have a staff that deals with these situations on a daily basis, are usually very polite and helpful and there should never be any negative consequences if you are in error in your reporting of a hacked account.

Secure Your Devices

We must next purge your devices of any malicious processes. There are usually many free antivirus solutions that do a great job at eliminating these threats in a simple scan, but don’t be scammed by a fake. Do your research for the latest, well known and best free or paid (depending on your budget) anti-malware solution. Read third party reviews.

Now, I know that anti-virus protection is not always a 100% solution, as there are many obfuscation and crypting methods that can be used to hide malware signatures from antivirus scans, but the big antivirus companies are very competitive and new definition updates roll out on a regular basis. At the time of writing this, the average private crypts are only FUD (fully undetectable) for approximately one month and the average public crypts which actually are FUD (most are never FUD, from the beginning) are only so for about one or two weeks.

While an anti-virus scan will most likely eliminate the threats on your PC, it is still advised that you backup your important files and data, format your hard drive and reinstall your operating system. For devices other than PC, follow your manufacturer’s guidelines for resetting your device to default factory settings.

Damage Control

An often overlooked aspect of securing your accounts and services, is what to do afterward. It is a bit important, because you may not know what messages have been sent to others or what was done in your name.

Financial services should be your first concern. Check your account activity for any purchases you do not recognize. Be sure to call your bank or credit card companies and have new card numbers issued.

As for social media, don’t be embarrassed or ashamed to post a public announcement, for everyone to see. Most everyone has seen social media accounts having been taken over by an attacker or bot and posting malicious links all over the internet, already. These things happen all of the time. This is nothing new and people will not think of you as being stupid or view you in a different light. They will instead judge you based on your quick and calm ability to assess and take control of the situation, most likely awarding you with support and respect.

For formal or social media accounts, a statement like this should be sufficient:

Hello Everyone. I have an important and unfortunate announcement to make. It appears that some of my accounts were compromised (hacked). I noticed suspicious activity on (date XX/XX/XX ) and while I am actively securing everything and the damage seems minimal, there’s no way for me to know the full extent or length of time of the breach. If you noticed any suspicious activity from my account or strange messages, please inform me immediately. Also if you have gotten any links from “me” recently, do not follow them. Instead ask me about them after I have finished securing all of my accounts, devices and services. I appreciate your support. Have a great day, everyone and apologies if there has been any inconvenience.”

A shorter version:

“One of my accounts was recently hacked. Things seem fine so far. I’m now securing it. Be sure to let me know of anything suspicious from my account. Thanks.”

And last, but not least: prevention. This could’ve saved you a lot of effort and grief to begin with. Keep up to date with the latest security practices for all of your online services, all your accounts, and all of your devices, because often a foothold into one of these can allow access into others.





About the Author


My name is Gary Lewis. While I am not as knowledgeable and skilled as many of your programming and security experts and teachers are, I do have real-world experience. There are a lot of technical skills that I'm not an expert at, but I was involved in a lot of things I will not list here and I do know how hacks are being done in the real world, rather than textbook knowledge. I retired from that scene some time ago and decided to pursue philosophy, art, and poetry. Currently, I am working on 3 series of dark themed art and poetry books entitled Paradoxium, Inevitum, and Relativium about Chaos, Order, and Time. I still stay up to date on data security and am happy to write an article for my good friend Rafay, when he wishes, but my days of hacking are over. So if you have any questions or inquiries, please refer to him and his team. They are very knowledgeable in their field of study.

3109853 – Update to Improve TLS Session Resumption Interoperability – Version: 1.0

Revision Note: V1.0 (January 12, 2016): Advisory published.
Summary: Microsoft is announcing the availability of an update to improve interoperability between Schannel-based TLS clients and 3rd-party TLS servers that enable RFC5077-based resumption and that send the NewSessionTicket message in the abbreviated TLS handshake. The update addresses an issue in schannel.dll that could cause RFC5077 session ticket-based resumption to fail and subsequently cause WinInet-based clients (for example, Internet Explorer and Microsoft Edge) to perform a fallback to a lower TLS protocol version than the one that would have been negotiated otherwise. This improvement is part of ongoing efforts to bolster the effectiveness of encryption in Windows.

A different kind of magic

Yesterday the world lost a good man, and the hacker community lost a great friend.  David Jones, better known to many as Rance, or @RevRance, ended his battle with cancer early yesterday morning, his suffering is over.


A great photo of Rance by Kevin Riggins
Throughout history we’ve called anything we don’t understand “magic”.  To those of us in technical fields we often think of Arthur C. Clarke’s third law:
“Any sufficiently advanced technology is indistinguishable from magic”
but many things we don’t understand other than technology have been called magic as well.

Rance had a special magic.  We may not have understood how he always seemed to know who needed a kind word, or how he knew exactly what the needed word was, but he did.  In the last couple of years it was sometimes hard to understand how he remained so kind, generous, and happy in the face of his cancer battles- but he did, because he was Rance.  That is a special kind of magic, and we will miss it dearly.

While we mourn our friend we can remember him best by trying to find a little of that special Rance magic in ourselves and each other.



Jack

Kali NetHunter 3.0 Released

NetHunter has been actively developed for over a year now, and  has undergone nothing short of a complete transformation since its last release. We've taken our time with v3.0, and the results are a complete overhaul of the NetHunter Android application, with a more polished interface and a fully functioning feature set.

Through the amazing NetHunter community work led by  binkybear, fattire, and jmingov, we can now proudly look at NetHunter and confidently consider it to be a stable, commercial grade  mobile penetration testing platform. And so, we are really excited with todays release of NetHunter 3.0 - let the games begin!

Crypto in the box, stone age edition

Introduction First of all, Happy New Year to everyone! I hope 2016 will be a fantastic and healthy year, filled with fun, joy, energy, and lots of pleasant surprises. I remember when all of my data would fit on a single floppy disk. 10 times. The first laptops looked like (and felt like) mainframes on […]

2755801 – Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge – Version: 53.0

Revision Note: V53.0 (January 5, 2016): Added the 3133431 update to the Current Update section.
Summary: Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer on all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10; the update is also available for Adobe Flash Player in Microsoft Edge on all supported editions of Windows 10. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.