Security Techniques

​How to easily defeat Linux Encoder ransomware

​How to easily defeat Linux Encoder ransomware: If you’re staring at your server in horror and far too many of your files are encrypted by an attacker and your directories all have a file entitled “README_FOR_DECRYPT.txt,” congratulations, you’ve got it. It appears that about 2,700 red-faced website administrators have Linux.Encoder on their servers.

The good news is it’s easy to get rid of.

You could, of course, pay the ransom fee of one Bitcoin, $325 at the moment. I do not recommend you do this. Besides just encouraging ransomware programmers, the crook’s fix doesn’t work well. Security expert Brian Krebs reports that one system administrator who paid up, got his files back but, the “decryption script that puts the data back … somehow … ate some characters in a few files, adding like a comma or an extra space … to the file.”

So, I don’t care how desperate you are, paying the ransom is a dumb move.

You can also have Dr. Web, the Russian security company, that discovered Linux.Encoder, try to recover your files for you. This service is only available to Dr. Web commercial programs subscribers. These programs are Dr. Web Security Space or Dr. Web Enterprise Security Suite.

Standard
Security Techniques

DNS Data Exfiltration

DNS Data Exfiltration: The obvious problem with a detection approach that relies on reaching a certain threshold of traffic is that avoiding detection is as simple as slowing down the rate you send data.  For the user that is trying to use the DNS tunnel for an interactive experience, this isn’t practical.  However, if the user is actually a piece of malware that is trying to steal data from inside your network, then slowing down the data rate will work, provided the criminal is patient enough and confident he will avoid detection by going “low and slow”.

Seeing this shortcoming, Infoblox released in late August a new set of signatures for ADP and Internal DNS Security customers that uses a different approach to identify these sessions.  Instead of relying on volume, our threat team was able to identify unique signatures that can be used to identify a number of DNS tunneling tools, some of which have been adopted by the malware vendors as their transport of choice for your enterprise data.

By using signatures for detection, we are able to make the detection instantly and with confidence that we are not rate limiting some valid (if strange) DNS traffic.

Standard
Security Techniques

CVE-2015-0235 glibc: __nss_hostname_digits_dots() heap-based buffer overflow

Bug 1183461: A heap-based buffer overflow was found in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call. A remote attacker could use this flaw to execute arbitary code with the permissions of the user running the application.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235

http://www.frsag.org/pipermail/frsag/2015-January/005722.html

https://sourceware.org/git/?p=glibc.git;a=commit;h=d5dd6189d506068ed11c8bfa1e1e9bffde04decd

Standard
Security Techniques

Bypassing OpenSSL Certificate Pinning in iOS Apps

Bypassing OpenSSL Certificate Pinning in iOS Apps: When mobile applications communicate with an API or web service, this should generally happen via TLS/SSL (e.g., HTTPS). In order to verify the identity of the server and to prevent man-in-the-middle attacks, TLS relies on certificates which prove the identity of the web server. Browsers and mobile operating systems come preconfigured with a list of trusted Certificate Authorities (CAs). Since any of the CAs may issue a certificate for any hostname/server, security-conscious applications should “pin” the expected server certificate in the application, i.e., not accept any certificate but the one issued by the known-good CA which the application developer uses.

From a penetration testing perspective, this may cause practical problems since it is difficult to intercept the communication of an application that makes use of this technique. Without pinning, interception typically involves adding the TLS certificate of an intercepting proxy (such as Burp) to the certificate store of the target operating system. However, when the app uses certificate pinning, this store is often ignored. On iOS, when the app uses standard iOS APIs, the iOS SSL Kill Switch, developed by Matasano’s sister company iSEC Partners, can be used to bypass pinning and force the application to accept any certificate presented by the server or proxy. The Kill Switch uses the Cydia Substrate which hooks the iOS functions used for certificate validation and modifies them so that they accept any certificate. It becomes more complicated when the app uses the OpenSSL library instead of the native iOS frameworks since they are not affected by the Kill Switch’s hooking.

Standard
Security Techniques

Scams Promoting Luxury Products Are Never Out of Style

Scams Promoting Luxury Products Are Never Out of Style: Generally, scams with phones are carried out before and a short while after the device is launched, but both iPhone 6 and especially Samsung Galaxy S4 are far from being fresh devices. Despite this, crooks continue to use them as bait for unsuspecting users.

Jovi Umawing of Malwarebytes discovered a survey scam on LinkedIn touting an iPhone 6 as the grand prize and she followed the trail until a page promoting a Samsung Galaxy S4 was displayed, in a new fake raffle.

The post on LinkedIn containing the link to the scam was published by a user under the name Kolko Kolko. The fact that the picture of the user is actually that of actor Brad Pitt should make anyone think twice before clicking on any of the promoted links.

Umawing accessed the shortened links, though, and found that they led to a page with multiple surveys to complete. It seems that the potential victim has the possibility to skip the current offer only to be served other survey pages.

Standard
Security Techniques

Time to fill OS X (Blue)tooth: Local privilege escalation vulnerabilities in Yosemite

Time to fill OS X (Blue)tooth: Local privilege escalation vulnerabilities in Yosemite: Motivated by our previous findings, we performed some more tests on service IOBluetoothHCIController of the latest version of Mac OS X (Yosemite 10.10.1), and we found five additional security issues.

The issues have been reported to Apple Security and, since the deadline we agreed upon with them expired, we now disclose details & PoCs for four of them (the last one was notified few days later and is still under investigation by Apple). All the issues are in class IOBluetoothHCIController, implemented in the IOBluetoothFamily kext (md5 e4123caff1b90b81d52d43f9c47fec8f).

Standard
Security Techniques

How to leak sensitive data from an isolated computer (air-gap) to a near by mobile phone

How to leak sensitive data from an isolated computer (air-gap) to a near by mobile phone: Security researcher Mordechai Guri with the guidance of Prof. Yuval Elovici from the cyber security labs at Ben-Gurion University in Israel presented at the 9th IEEE International Conference on Malicious and Unwanted Software (MALCON 2014), at Puerto Rico, a breakthrough method (“AirHopper) for leaking data from an isolated computer to a mobile phone without the presence of a network.

Standard
Security Techniques

KeySweeper: Arduino-based Keylogger for Wireless Keyboards

KeySweeper — Arduino-based Keylogger for Wireless Keyboards: Security researcher has developed a cheap USB wall charger that is capable to eavesdrop on almost any Microsoft wireless keyboard.

MySpace mischief-maker Samy Kamkar has released a super-creepy keystroke logger for Microsoft wireless keyboards cunningly hidden in what appears to be a rather cheap, but functioning USB wall charger.

The stealthy Arduino-based device, dubbed “KeySweeper”, looks and functions just like a generic USB mobile charger, but actually sniffs, decrypts, logs, and reports back all keystrokes from a Microsoft wireless keyboard.

Standard
Security Techniques

Thunderstrike 31c3

Thunderstrike 31c3: This is an annotated version of my 31C3 talk on Thunderstrike, a significant firmware vulnerability in Apple’s EFI firmware that allows untrusted code to be written to the boot ROM and can resist attempts to remove it. There is also an hour long video of the talk if you prefer to watch instead of read. If you just want the tl;dr version, you can skip to the summary of the talk or check out the FAQ.

Standard
Security Techniques

It’s 2015 and ATMs don’t know when a daughterboard is breaking them

It’s 2015 and ATMs don’t know when a daughterboard is breaking them: Carders have jackpotted an ATM by inserting a circuit board into the USB ports of an ATM, tricking it into spitting out cash.

The technique was thought to have emulated the cash dispenser of the ATM so the brains of the machine thought everything was normal, buying additional time for the brazen crooks to make off with the cash.

A Samsung Galaxy S4 was then used by a remote attacker to issue commands to the dispenser, cybercrime scribe Brian Krebs reported.

NCR global security manager Charlie Harrow said the circuit board gives crime lords control, but the folks who install it are not necessarily the real perps.

Standard