SMTP over XXE − how to send emails using Java’s XML parser

The (presumably ancient) code has a bug, though: it does not verify the syntax of the user name. RFC 959 specifies that a username may consist of a sequence of any of the 128 ASCII characters except <CR> and <LF>. Guess what the JRE implementers forgot? Exactly − to check for the presence of <CR> or <LF>. This means that if we put %0D%0A anywhere in the user part of the URL (or the password part for that matter), we can terminate the USER (or PASS) command and inject a new command into the FTP session.

Source: SMTP over XXE − how to send emails using Java’s XML parser – shift or die

So, if we send a USER command to a mail server instead of a FTP server, it will answer with an error code (since USER is not a valid SMTP command), but let us continue with our session. Combined with the bug mentioned above, this allows us to send arbitrary SMTP commands, which allows us to send emails.

How IoT hackers turned a university’s network against itself

While this incident represents one of the first of its kind, the bad news is this form of attack is only going to become more common as more and more everyday items get connected to the internet, providing hackers with greater numbers of potential zombie devices.”

The reason behind it is the issue of default credentials for wireless devices. This is going to bring billions of devices into the fold by 2020, which is only three years away. Whenever it is, there’s going to be so many of these things used by people with very limited understanding of what they are,” says Dine.

Source: How IoT hackers turned a university’s network against itself | ZDNet

The network that IoT devices must use should be isolated and secured by a firewall.  This isn’t that difficult to do.

Krebs pinpoints the likely author of the Mirai botnet

The full story is admittedly lengthy, clocking in at over 8000 words, but worth the time to understand how botnet wranglers make money siccing their zombie device armies on unsuspecting targets. The sources that pointed Krebs to Anna Senpai’s identity were involved in using botnets on behalf of shadowy clients, unleashing them on security companies protecting lucrative Minecraft servers that host thousands of players. When their online gaming is obstructed — say, by repeated and annoying DDoS attacks — players leave, giving servers an incentive to jump ship to whichever security provider can ensure protection…in this case, providers that arranged for the botnet attacks in the first place.

Source: Krebs pinpoints the likely author of the Mirai botnet

Me Too! – You Had Me At EHLO…

First off, the original mail went to 13,000 users.  Assuming that 1,000 of those 13,000 users replied, that means that there are 1,000 replies being sent to those 13,000 users.  And it turns out that a number of these people had their email client set to request read receipts and delivery receipts.  Each read and delivery receipt causes ANOTHER email to be sent from the recipient back to the sender (all 13,000 recipients).  Assuming that 20% of the 1,000 users replying had read receipts or delivery receipts set, that meant that every one of the message that they sent caused another message to be sent for every one of the 13,000 recipients. So how many messages were sent?

Source: Me Too! – You Had Me At EHLO…

Yes, we can validate the Wikileaks emails

DKIM is a system designed to stop spam. It works by verifying the sender of the email. Moreover, as a side effect, it verifies that the email has not been altered.

Hillary’s team uses “hillaryclinton.com”, which as DKIM enabled. Thus, we can verify whether some of these emails are true.

Source: Errata Security: Yes, we can validate the Wikileaks emails

I was just listening to ABC News about this story. It repeated Democrat talking points that the WikiLeaks emails weren’t validated. That’s a lie. This email in particular has been validated. I just did it, and shown you how you can validate it, too.

How does iptables hashlimit module work?

Hashlimit is an iptables module that allows one to define rules that in effect will limit traffic speed (bytes / time unit) or frequency (connections / time unit) per target or origin ports / IPs. The inner workings of this module and / or how to make it work correctly remains a mystery for many.

Hashlimit is also close friends with the limit module, only much more powerful, capable of expressing rate limiting per source IP (for example) in a single rule.

Source: Stuff I do: How does iptables hashlimit module work?

IEEE sets new Ethernet standard that brings 5X the speed without disruptive cable changes

“Going beyond 1 Gb/s with existing Cat5e and Cat6 cables was little more than a talking point two years ago. But now with NBASE-T, we have the ability to extend the life of an enormous asset —your wired network. The Cat5e and Cat6 installed in just the last 15 years now exceeds an estimated 70 billion meters of cabling, which is more than 10 trips to Pluto,”

Source: IEEE sets new Ethernet standard that brings 5X the speed without disruptive cable changes

Social Security Administration Now Requires Two-Factor Authentication

Sadly, it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online.

After that, the SSA relays four multiple-guess, so-called “knowledge-based authentication” or KBA questions from credit bureau Equifax. In practice, many of these KBA questions — such as previous address, loan amounts and dates — can be successfully enumerated with random guessing.  What’s more, very often the answers to these questions can be found by consulting free online services, such as Zillow and Facebook.

Source: Social Security Administration Now Requires Two-Factor Authentication — Krebs on Security

Disable WPAD now or have your accounts and private data compromised

WPAD is a protocol, developed in 1999 by people from Microsoft and other technology companies, that allows computers to automatically discover which web proxy they should use. The proxy is defined in a JavaScript file called a proxy auto-config (PAC) file.

The location of PAC files can be discovered through WPAD in several ways: through a special Dynamic Host Configuration Protocol (DHCP) option, through local Domain Name System (DNS) lookups, or through Link-Local Multicast Name Resolution (LLMNR).

Source: Disable WPAD now or have your accounts and private data compromised | CSO Online

The researchers recommended computer users disable the protocol. “No seriously, turn off WPAD!” one of their presentation slides said. “If you still need to use PAC files, turn off WPAD and configure an explicit URL for your PAC script; and serve it over HTTPS or from a local file.”

From Slashdot comments:

To prevent Windows from tracking which network support WPAD, you need to make a simple registry change:

Click the Start button, and in the search field, type in “regedit”, then select “regedit.exe” from the list of results
Navigate through the tree to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad”
Once you have the “Wpad” folder selected, right click in the right pane, and click on “New -> DWORD (32-Bit Value)”
Name this new value “WpadOverride”
Double click the new “WpadOverride” value to edit it
In the “Value data” field, replace the “0” with a “1”, then click “OK”
Reboot the computer

Microsoft Live Account Credentials Leaking From Windows 8 And Above

Basically, the default User Authentification Settings of Edge/Spartan (also Internet Explorer, Outlook) lets the browser connect to local network shares, but erroneously fail to block connections to remote shares. To exploit this, an attacker would simply set up a network share. An embedded image link that points to that network share is then sent to the victim, for example as part of an email or website. As soon as the prepped content is viewed inside a Microsoft product such as Edge/Spartan, Internet Explorer or Outlook, that software will try to connect to that share in order to download the image. Doing so, it will silently send the user’s Windows login username in plaintext along with the NTLMv2 hash of the login password to the attacker’s network share.

Source: Microsoft Live Account Credentials Leaking From Windows 8 And Above | Hackaday